diff --git a/packages/carbon_black_cloud/1.0.2/changelog.yml b/packages/carbon_black_cloud/1.0.2/changelog.yml deleted file mode 100755 index 50baa53bb7..0000000000 --- a/packages/carbon_black_cloud/1.0.2/changelog.yml +++ /dev/null @@ -1,31 +0,0 @@ -# newer versions go on top -- version: "1.0.2" - changes: - - description: Fix dashboard issues. - type: bugfix - link: https://github.com/elastic/integrations/issues/3462 -- version: "1.0.1" - changes: - - description: Change event.outcome value from failure to failed according to ECS - type: bugfix - link: https://github.com/elastic/integrations/issues/3407 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: 0.1.2 - changes: - - description: Add "VMware" to the title to make it "VMware Carbon Black Cloud". - type: enhancement - link: https://github.com/elastic/integrations/pull/3196 -- version: 0.1.1 - changes: - - description: Captured domain from username and hostname - type: enhancement - link: https://github.com/elastic/integrations/pull/3106 -- version: 0.1.0 - changes: - - description: Initial draft of the package. - type: enhancement - link: https://github.com/elastic/integrations/pull/2760 diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/alert/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/1.0.2/data_stream/alert/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index e02c596614..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/alert/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -bucket_arn: {{bucket_arn}} -number_of_workers: {{number_of_workers}} -bucket_list_interval: {{interval}} -access_key_id: {{access_key_id}} -secret_access_key: {{secret_access_key}} -bucket_list_prefix: {{bucket_list_prefix}} -expand_event_list_from_field: Records -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/alert/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/1.0.2/data_stream/alert/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 2f738b21a6..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/alert/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,52 +0,0 @@ -config_version: 2 -interval: {{interval}} -request.timeout: 2m -request.method: POST - -{{#if proxy_url}} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} - -request.url: {{hostname}}/appservices/v6/orgs/{{org_key}}/alerts/_search -request.transforms: - - set: - target: header.X-Auth-Token - value: {{custom_api_secret_key}}/{{custom_api_id}} - - set: - target: body.criteria.last_update_time.start - value: '[[.cursor.last_update_timestamp]]' - default: '[[formatDate ((now (parseDuration "-{{initial_interval}}")).Add (parseDuration "-15m")) "RFC3339"]]' - - set: - target: body.criteria.last_update_time.end - value: '[[formatDate (now (parseDuration "-15m")) "RFC3339"]]' - - set: - target: body.sort - value: '[{ "field": "last_update_time", "order": "ASC"}]' - value_type: json -response.pagination: - - set: - target: body.criteria.last_update_time.start - value: '[[if (ne .last_response.body.num_found .last_response.body.num_available)]][[.last_event.last_update_time]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_update_timestamp: - value: '[[.last_event.last_update_time]]' -response.split: - target: body.results -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.0.2/data_stream/alert/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index f6f5fc171e..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/alert/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,313 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud alerts. -processors: - - set: - field: ecs.version - value: "8.0.0" - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - fingerprint: - fields: - - json.id - - json.create_time - - json.last_update_time - target_field: _id - ignore_missing: true - - date: - field: json.create_time - target_field: "@timestamp" - ignore_failure: true - formats: - - ISO8601 - - set: - field: event.kind - value: alert - - rename: - field: json.id - target_field: event.id - ignore_missing: true - - rename: - field: json.first_event_time - target_field: event.start - ignore_missing: true - - rename: - field: json.last_event_time - target_field: event.end - ignore_missing: true - - rename: - field: json.severity - target_field: event.severity - ignore_missing: true - - urldecode: - field: json.alert_url - target_field: event.url - ignore_missing: true - - rename: - field: json.reason - target_field: event.reason - ignore_missing: true - - convert: - field: json.device_id - target_field: host.id - type: string - ignore_missing: true - - set: - field: host.os.type - value: windows - if: ctx?.json?.device_os == "WINDOWS" - - set: - field: host.os.type - value: linux - if: ctx?.json?.device_os == "LINUX" - - set: - field: host.os.type - value: macos - if: ctx?.json?.device_os == "MAC" - - set: - field: event.kind - value: alert - - rename: - field: json.device_os_version - target_field: host.os.version - ignore_missing: true - - rename: - field: json.device_name - target_field: host.hostname - ignore_missing: true - - grok: - field: host.hostname - patterns: - - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$' - ignore_missing: true - ignore_failure: true - - set: - field: host.name - value: "{{{host.hostname}}}" - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_internal_ip}}}" - if: ctx?.json?.device_internal_ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_external_ip}}}" - if: ctx?.json?.device_external_ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.device_username - target_field: user.name - ignore_missing: true - - grok: - field: user.name - patterns: - - '^(%{DATA:user.domain})\\(%{GREEDYDATA:user.name})$' - ignore_missing: true - ignore_failure: true - - append: - field: related.ip - value: - - "{{{json.device_internal_ip}}}" - - "{{{json.device_external_ip}}}" - allow_duplicates: false - - append: - field: related.user - value: - - "{{{user.name}}}" - allow_duplicates: false - - append: - field: related.hosts - value: - - "{{{host.hostname}}}" - - "{{{user.domain}}}" - allow_duplicates: false - - append: - field: related.hash - value: - - "{{{json.threat_cause_actor_md5}}}" - - "{{{json.threat_cause_actor_sha256}}}" - allow_duplicates: false - - rename: - field: json.process_name - target_field: process.name - ignore_missing: true - - rename: - field: json.process_path - target_field: process.executable - ignore_missing: true - - rename: - field: json.process_guid - target_field: process.entity_id - ignore_missing: true - - rename: - field: json.vendor_name - target_field: carbon_black_cloud.alert.vendor_name - ignore_missing: true - - rename: - field: json.product_name - target_field: carbon_black_cloud.alert.product_name - ignore_missing: true - - rename: - field: json.serial_number - target_field: carbon_black_cloud.alert.serial_number - ignore_missing: true - - rename: - field: json.policy_id - target_field: carbon_black_cloud.alert.policy.id - ignore_missing: true - - rename: - field: json.policy_name - target_field: carbon_black_cloud.alert.policy.name - ignore_missing: true - - rename: - field: json.threat_id - target_field: carbon_black_cloud.alert.threat_id - ignore_missing: true - - rename: - field: json.policy_applied - target_field: carbon_black_cloud.alert.policy.applied - ignore_missing: true - - rename: - field: json.threat_activity_c2 - target_field: carbon_black_cloud.alert.threat_activity.c2 - ignore_missing: true - - rename: - field: json.threat_activity_dlp - target_field: carbon_black_cloud.alert.threat_activity.dlp - ignore_missing: true - - rename: - field: json.threat_activity_phish - target_field: carbon_black_cloud.alert.threat_activity.phish - ignore_missing: true - - rename: - field: json.threat_cause_actor_name - target_field: carbon_black_cloud.alert.threat_cause.actor.name - ignore_missing: true - - rename: - field: json.threat_cause_actor_process_pid - target_field: carbon_black_cloud.alert.threat_cause.actor.process_pid - ignore_missing: true - - rename: - field: json.threat_cause_actor_sha256 - target_field: carbon_black_cloud.alert.threat_cause.actor.sha256 - ignore_missing: true - - rename: - field: json.threat_cause_actor_md5 - target_field: carbon_black_cloud.alert.threat_cause.actor.md5 - ignore_missing: true - - rename: - field: json.threat_cause_cause_event_id - target_field: carbon_black_cloud.alert.threat_cause.cause_event_id - ignore_missing: true - - rename: - field: json.threat_cause_parent_guid - target_field: carbon_black_cloud.alert.threat_cause.process.parent.guid - ignore_missing: true - - rename: - field: json.threat_cause_process_guid - target_field: carbon_black_cloud.alert.threat_cause.process.guid - ignore_missing: true - - rename: - field: json.threat_cause_reputation - target_field: carbon_black_cloud.alert.threat_cause.reputation - ignore_missing: true - - rename: - field: json.threat_cause_threat_category - target_field: carbon_black_cloud.alert.threat_cause.threat_category - ignore_missing: true - - rename: - field: json.threat_cause_vector - target_field: carbon_black_cloud.alert.threat_cause.vector - ignore_missing: true - - rename: - field: json.ioc_field - target_field: carbon_black_cloud.alert.ioc.field - ignore_missing: true - - rename: - field: json.ioc_hit - target_field: carbon_black_cloud.alert.ioc.hit - ignore_missing: true - - rename: - field: json.ioc_id - target_field: carbon_black_cloud.alert.ioc.id - ignore_missing: true - - rename: - field: json.report_id - target_field: carbon_black_cloud.alert.report.id - ignore_missing: true - - rename: - field: json.report_name - target_field: carbon_black_cloud.alert.report.name - ignore_missing: true - - rename: - field: json.org_key - target_field: carbon_black_cloud.alert.organization_key - ignore_missing: true - - rename: - field: json.device_location - target_field: carbon_black_cloud.alert.device.location - ignore_missing: true - - rename: - field: json.device_os - target_field: carbon_black_cloud.alert.device.os - ignore_missing: true - - rename: - field: json.device_internal_ip - target_field: carbon_black_cloud.alert.device.internal_ip - ignore_missing: true - - rename: - field: json.device_external_ip - target_field: carbon_black_cloud.alert.device.external_ip - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - lowercase: - field: json.category - ignore_missing: true - - script: - description: Adds all the remaining fields in fields under carbon_black_cloud.alert - lang: painless - if: ctx?.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.carbon_black_cloud.alert[m.getKey()] = m.getValue(); - } - - remove: - field: - - json - - carbon_black_cloud.alert.create_time - - carbon_black_cloud.alert.device_id - - carbon_black_cloud.alert.alert_url - ignore_missing: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: - - set: - field: error.message - value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/alert/fields/agent.yml b/packages/carbon_black_cloud/1.0.2/data_stream/alert/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/alert/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/alert/fields/base-fields.yml b/packages/carbon_black_cloud/1.0.2/data_stream/alert/fields/base-fields.yml deleted file mode 100755 index 14fb618ea4..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/alert/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: carbon_black_cloud.alert diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/alert/fields/ecs.yml b/packages/carbon_black_cloud/1.0.2/data_stream/alert/fields/ecs.yml deleted file mode 100755 index cfad6817c1..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/alert/fields/ecs.yml +++ /dev/null @@ -1,117 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - URL linking to an external system to continue investigation of this event. - This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - name: event.url - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: host.os.type - type: keyword -- description: Operating system version as a raw string. - name: host.os.version - type: keyword -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/alert/fields/fields.yml b/packages/carbon_black_cloud/1.0.2/data_stream/alert/fields/fields.yml deleted file mode 100755 index 3eca3a1515..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/alert/fields/fields.yml +++ /dev/null @@ -1,218 +0,0 @@ -- name: carbon_black_cloud.alert - type: group - fields: - - name: blocked_threat_category - type: keyword - description: The category of threat which we were able to take action on. - - name: category - type: keyword - description: The category of the alert. - - name: count - type: long - - name: created_by_event_id - type: keyword - description: Event identifier that initiated the alert. - - name: device - type: group - fields: - - name: location - type: keyword - description: The Location of device. - - name: os - type: keyword - description: OS of the device. - - name: internal_ip - type: ip - description: Internal IP of the device. - - name: external_ip - type: ip - description: External IP of the device. - - name: document_guid - type: keyword - description: Unique ID of document. - - name: ioc - type: group - fields: - - name: field - type: keyword - description: The field the indicator of comprise (IOC) hit contains. - - name: hit - type: keyword - description: IOC field value or IOC query that matches. - - name: id - type: keyword - description: The identifier of the IOC that cause the hit. - - name: kill_chain_status - type: keyword - description: The stage within the Cyber Kill Chain sequence most closely associated with the attributes of the alert. - - name: last_update_time - type: date - description: The last time the alert was updated as an ISO 8601 UTC timestamp. - - name: legacy_alert_id - type: keyword - description: The legacy identifier for the alert. - - name: not_blocked_threat_category - type: keyword - description: Other potentially malicious activity involved in the threat that we weren't able to take action on (either due to policy config, or not having a relevant rule). - - name: notes_present - type: boolean - description: Indicates if notes are associated with the threat_id. - - name: organization_key - type: keyword - description: The unique identifier for the organization associated with the alert. - - name: policy - type: group - fields: - - name: applied - type: keyword - description: Whether a policy was applied. - - name: id - type: long - description: The identifier for the policy associated with the device at the time of the alert. - - name: name - type: keyword - description: The name of the policy associated with the device at the time of the alert. - - name: product_id - type: keyword - description: The hexadecimal id of the USB device's product. - - name: product_name - type: keyword - description: The name of the USB device’s vendor. - - name: reason_code - type: keyword - description: Shorthand enum for the full-text reason. - - name: report - type: group - fields: - - name: id - type: keyword - description: The identifier of the report that contains the IOC. - - name: name - type: keyword - description: The name of the report that contains the IOC. - - name: run_state - type: keyword - description: Whether the threat in the alert ran. - - name: sensor_action - type: keyword - description: The action taken by the sensor, according to the rule of the policy. - - name: serial_number - type: keyword - description: The serial number of the USB device. - - name: status - type: keyword - description: status of alert. - - name: tags - type: keyword - description: Tags associated with the alert. - - name: target_value - type: keyword - description: The priority of the device assigned by the policy. - - name: threat_activity - type: group - fields: - - name: c2 - type: keyword - description: Whether the alert involved a command and control (c2) server. - - name: dlp - type: keyword - description: Whether the alert involved data loss prevention (DLP). - - name: phish - type: keyword - description: Whether the alert involved phishing. - - name: threat_cause - type: group - fields: - - name: actor - type: group - fields: - - name: md5 - type: keyword - description: MD5 of the threat cause actor. - - name: name - type: keyword - description: 'The name can be one of the following: process commandline, process name, or analytic matched threat. Analytic matched threats are Exploit, Malware, PUP, or Trojan.' - - name: process_pid - type: keyword - description: Process identifier (PID) of the actor process. - - name: sha256 - type: keyword - description: SHA256 of the threat cause actor. - - name: cause_event_id - type: keyword - description: ID of the Event that triggered the threat. - - name: process - type: group - fields: - - name: guid - type: keyword - description: The global unique identifier of the process. - - name: parent - type: group - fields: - - name: guid - type: keyword - description: The global unique identifier of the process. - - name: reputation - type: keyword - description: Reputation of the threat cause. - - name: threat_category - type: keyword - description: Category of the threat cause. - - name: vector - type: keyword - description: The source of the threat cause. - - name: threat_id - type: keyword - description: The identifier of a threat which this alert belongs. Threats are comprised of a combination of factors that can be repeated across devices. - - name: threat_indicators - type: group - description: List of the threat indicators that make up the threat. - fields: - - name: process_name - type: keyword - description: Process name associated with threat. - - name: sha256 - type: keyword - description: Sha256 associated with threat. - - name: ttps - type: keyword - description: Tactics, techniques and procedures associated with threat. - - name: type - type: keyword - description: Type of alert. - - name: vendor_id - type: keyword - description: The hexadecimal id of the USB device's vendor. - - name: vendor_name - type: keyword - description: The name of the USB device’s vendor. - - name: watchlists - type: group - description: List of watchlists associated with an alert. - fields: - - name: id - type: keyword - description: The identifier of watchlist. - - name: name - type: keyword - description: The name of the watchlist. - - name: workflow - type: group - description: Tracking system for alerts as they are triaged and resolved. - fields: - - name: changed_by - type: keyword - description: The name of user who changed the workflow. - - name: comment - type: keyword - description: Comment associated with workflow. - - name: last_update_time - type: date - description: The last update time of workflow. - - name: remediation - type: keyword - description: N/A - - name: state - type: keyword - description: The state of workflow. diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/alert/manifest.yml b/packages/carbon_black_cloud/1.0.2/data_stream/alert/manifest.yml deleted file mode 100755 index 477667ce22..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/alert/manifest.yml +++ /dev/null @@ -1,95 +0,0 @@ -title: Alert -type: logs -streams: - - input: httpjson - title: Collect alerts from Carbon Black Cloud - description: Collect alerts from Carbon Black Cloud. - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval - description: Interval to fetch alerts from Carbon Black Cloud. - multi: false - required: true - show_user: true - default: 1m - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the alerts from the Carbon Black Cloud API. - default: 24h - multi: false - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-alert - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: aws-s3 - title: Collect alerts from Carbon Black Cloud - description: Collect alerts from Carbon Black Cloud. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: Bucket Prefix - description: Prefix to apply for the list request to the S3 bucket. - multi: false - required: true - show_user: true - - name: interval - type: text - title: Interval - description: Interval to fetch alerts from AWS S3 bucket. - multi: false - required: true - show_user: true - default: 1m - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-alert - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/alert/sample_event.json b/packages/carbon_black_cloud/1.0.2/data_stream/alert/sample_event.json deleted file mode 100755 index 67e2c63a32..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/alert/sample_event.json +++ /dev/null @@ -1,114 +0,0 @@ -{ - "@timestamp": "2020-11-17T22:05:13.000Z", - "agent": { - "ephemeral_id": "56053d91-103c-4c77-8f15-0a1006a80102", - "hostname": "docker-fleet-agent", - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "carbon_black_cloud": { - "alert": { - "category": "warning", - "device": { - "external_ip": "81.2.69.143", - "internal_ip": "81.2.69.144", - "location": "UNKNOWN", - "os": "WINDOWS" - }, - "last_update_time": "2020-11-17T22:05:13Z", - "legacy_alert_id": "C8EB7306-AF26-4A9A-B677-814B3AF69720", - "organization_key": "ABCD6X3T", - "policy": { - "applied": "APPLIED", - "id": 6997287, - "name": "Standard" - }, - "product_id": "0x5406", - "product_name": "U3 Cruzer Micro", - "reason_code": "6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC", - "run_state": "DID_NOT_RUN", - "sensor_action": "DENY", - "serial_number": "0875920EF7C2A304", - "target_value": "MEDIUM", - "threat_cause": { - "cause_event_id": "FCEE2AF0-D832-4C9F-B988-F11B46028C9E", - "threat_category": "NON_MALWARE", - "vector": "REMOVABLE_MEDIA" - }, - "threat_id": "t5678", - "type": "DEVICE_CONTROL", - "vendor_id": "0x0781", - "vendor_name": "SanDisk", - "workflow": { - "changed_by": "Carbon Black", - "last_update_time": "2020-11-17T22:02:16Z", - "state": "OPEN" - } - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.alert", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-04-14T11:46:13.154Z", - "dataset": "carbon_black_cloud.alert", - "end": "2020-11-17T22:02:16Z", - "id": "test1", - "ingested": "2022-04-14T11:46:14Z", - "kind": "alert", - "original": "{\"alert_url\":\"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976\",\"category\":\"WARNING\",\"create_time\":\"2020-11-17T22:05:13Z\",\"device_external_ip\":\"81.2.69.143\",\"device_id\":2,\"device_internal_ip\":\"81.2.69.144\",\"device_location\":\"UNKNOWN\",\"device_name\":\"DESKTOP-002\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_username\":\"test34@demo.com\",\"first_event_time\":\"2020-11-17T22:02:16Z\",\"id\":\"test1\",\"last_event_time\":\"2020-11-17T22:02:16Z\",\"last_update_time\":\"2020-11-17T22:05:13Z\",\"legacy_alert_id\":\"C8EB7306-AF26-4A9A-B677-814B3AF69720\",\"org_key\":\"ABCD6X3T\",\"policy_applied\":\"APPLIED\",\"policy_id\":6997287,\"policy_name\":\"Standard\",\"product_id\":\"0x5406\",\"product_name\":\"U3 Cruzer Micro\",\"reason\":\"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.\",\"reason_code\":\"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC\",\"run_state\":\"DID_NOT_RUN\",\"sensor_action\":\"DENY\",\"serial_number\":\"0875920EF7C2A304\",\"severity\":3,\"target_value\":\"MEDIUM\",\"threat_cause_cause_event_id\":\"FCEE2AF0-D832-4C9F-B988-F11B46028C9E\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"REMOVABLE_MEDIA\",\"threat_id\":\"t5678\",\"type\":\"DEVICE_CONTROL\",\"vendor_id\":\"0x0781\",\"vendor_name\":\"SanDisk\",\"workflow\":{\"changed_by\":\"Carbon Black\",\"comment\":\"\",\"last_update_time\":\"2020-11-17T22:02:16Z\",\"remediation\":\"\",\"state\":\"OPEN\"}}", - "reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.", - "severity": 3, - "start": "2020-11-17T22:02:16Z", - "url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976" - }, - "host": { - "hostname": "DESKTOP-002", - "id": "2", - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], - "name": "DESKTOP-002", - "os": { - "type": "windows", - "version": "Windows 10 x64" - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "hosts": [ - "DESKTOP-002" - ], - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], - "user": [ - "test34@demo.com" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-alert" - ], - "user": { - "name": "test34@demo.com" - } -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/1.0.2/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 310b6e05d5..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,45 +0,0 @@ -config_version: 2 -interval: {{interval}} -request.method: POST -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.url: {{hostname}}/vulnerability/assessment/api/v1/orgs/{{org_key}}/devices/vulnerabilities/summary/_search -request.transforms: - - set: - target: header.X-Auth-Token - value: {{custom_api_secret_key}}/{{custom_api_id}} - - set: - target: body.start - value: '0' - value_type: int - - set: - target: body.rows - value: '10000' - value_type: int -request.timeout: 2m -response.pagination: - - set: - target: body.start - value: '[[if (eq (len .last_response.body.results) 0)]][[.last_response.terminate_pagination]][[else]][[mul .last_response.page .body.rows]][[end]]' - value_type: int - fail_on_template_error: true -response.split: - target: body.results -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.0.2/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 94f7482f37..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,132 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud Asset Vulnerability Summary. -processors: -- rename: - field: message - target_field: event.original - ignore_missing: true -- set: - field: ecs.version - value: '8.0.0' -- json: - field: event.original - target_field: json -- rename: - field: json.host_name - target_field: host.hostname - ignore_missing: true -- convert: - field: json.device_id - type: string - target_field: host.id - ignore_missing: true -- rename: - field: json.name - target_field: host.name - ignore_missing: true -- rename: - field: json.os_info.os_name - target_field: host.os.name - ignore_missing: true -- set: - field: host.os.type - value: windows - if: ctx?.json?.os_info.os_type == "WINDOWS" -- set: - field: host.os.type - value: ubuntu - if: ctx?.json?.os_info.os_type == "UBUNTU" -- set: - field: host.os.type - value: centos - if: ctx?.json?.os_info.os_type == "CENTOS" -- remove : - field: json.os_info.os_type - ignore_missing: true -- remove : - field: json.device_id - ignore_missing: true -- rename: - field: json.os_info.os_version - target_field: host.os.version - ignore_missing: true -- rename: - field: json.highest_risk_score - target_field: vulnerability.score.base - ignore_missing: true -- rename: - field: json.severity - target_field: vulnerability.severity - ignore_missing: true -- date: - field: json.last_sync_ts - formats: - - ISO8601 - target_field: carbon_black_cloud.asset_vulnerability_summary.last_sync.timestamp -- remove: - field: json.last_sync_ts - ignore_missing: true -- rename: - field: json.sync_status - target_field: carbon_black_cloud.asset_vulnerability_summary.sync.status - ignore_missing: true -- rename: - field: json.sync_type - target_field: carbon_black_cloud.asset_vulnerability_summary.sync.type - ignore_missing: true -- rename: - field: json.type - target_field: carbon_black_cloud.asset_vulnerability_summary.type - ignore_missing: true -- rename: - field: json.vm_id - target_field: carbon_black_cloud.asset_vulnerability_summary.vm.id - ignore_missing: true -- rename: - field: json.vm_name - target_field: carbon_black_cloud.asset_vulnerability_summary.vm.name - ignore_missing: true -- rename: - field: json.vuln_count - target_field: carbon_black_cloud.asset_vulnerability_summary.vuln_count - ignore_missing: true -- append: - field: related.hosts - value: "{{{host.hostname}}}" - allow_duplicates: false -- script: - description: Adds all the remaining fields in fields under carbon_black_cloud.asset_vulnerability_summary - lang: painless - if: ctx?.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.carbon_black_cloud.asset_vulnerability_summary[m.getKey()] = m.getValue(); - } -- remove: - field: json - ignore_missing: true -- script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/asset_vulnerability_summary/fields/agent.yml b/packages/carbon_black_cloud/1.0.2/data_stream/asset_vulnerability_summary/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/asset_vulnerability_summary/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/asset_vulnerability_summary/fields/base-fields.yml b/packages/carbon_black_cloud/1.0.2/data_stream/asset_vulnerability_summary/fields/base-fields.yml deleted file mode 100755 index e6791517a6..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/asset_vulnerability_summary/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset - value: carbon_black_cloud.asset_vulnerability_summary diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/asset_vulnerability_summary/fields/ecs.yml b/packages/carbon_black_cloud/1.0.2/data_stream/asset_vulnerability_summary/fields/ecs.yml deleted file mode 100755 index bae6099a14..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/asset_vulnerability_summary/fields/ecs.yml +++ /dev/null @@ -1,57 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: host.os.name - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: host.os.type - type: keyword -- description: Operating system version as a raw string. - name: host.os.version - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) - name: vulnerability.score.base - type: float -- description: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) - name: vulnerability.severity - type: keyword diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/asset_vulnerability_summary/fields/fields.yml b/packages/carbon_black_cloud/1.0.2/data_stream/asset_vulnerability_summary/fields/fields.yml deleted file mode 100755 index a70b2974e8..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/asset_vulnerability_summary/fields/fields.yml +++ /dev/null @@ -1,39 +0,0 @@ -- name: carbon_black_cloud.asset_vulnerability_summary - type: group - fields: - - name: os_info - type: group - fields: - - name: os_arch - type: keyword - description: The identifier is for the Operating system architecture. - - name: last_sync - type: group - fields: - - name: timestamp - type: date - description: The identifier is for the Last sync time. - - name: sync - type: group - fields: - - name: status - type: keyword - description: The identifier is for the Device sync status. - - name: type - type: keyword - description: The identifier is for the Whether a manual sync was triggered for the device, or if it was a scheduled sync. - - name: type - type: keyword - description: The identifier is for the Device type. - - name: vm - type: group - fields: - - name: id - type: keyword - description: The identifier is for the Virtual Machine ID. - - name: name - type: keyword - description: The identifier is for the Virtual Machine name. - - name: vuln_count - type: integer - description: The identifier is for the Number of vulnerabilities at this level. diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/asset_vulnerability_summary/manifest.yml b/packages/carbon_black_cloud/1.0.2/data_stream/asset_vulnerability_summary/manifest.yml deleted file mode 100755 index b7bf78f84d..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/asset_vulnerability_summary/manifest.yml +++ /dev/null @@ -1,42 +0,0 @@ -title: Asset Vulnerability Summary -type: logs -streams: - - input: httpjson - title: Collect asset vulnerability summary from Carbon Black Cloud - description: Collect asset vulnerability summary from Carbon Black Cloud. - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval - description: Interval to query asset vulnerability summary in Carbon Black Cloud. - multi: false - required: true - show_user: true - default: 1h - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-asset-vulnerability-summary - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/asset_vulnerability_summary/sample_event.json b/packages/carbon_black_cloud/1.0.2/data_stream/asset_vulnerability_summary/sample_event.json deleted file mode 100755 index c31987aefe..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/asset_vulnerability_summary/sample_event.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "@timestamp": "2022-04-14T11:47:25.371Z", - "agent": { - "ephemeral_id": "377d9292-c7d0-4c30-bbee-faf4848d30d8", - "hostname": "docker-fleet-agent", - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "carbon_black_cloud": { - "asset_vulnerability_summary": { - "last_sync": { - "timestamp": "2022-01-17T08:33:37.384Z" - }, - "os_info": { - "os_arch": "64-bit" - }, - "sync": { - "status": "COMPLETED", - "type": "SCHEDULED" - }, - "type": "ENDPOINT", - "vuln_count": 1770 - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.asset_vulnerability_summary", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-04-14T11:47:25.371Z", - "dataset": "carbon_black_cloud.asset_vulnerability_summary", - "ingested": "2022-04-14T11:47:26Z", - "original": "{\"cve_ids\":null,\"device_id\":8,\"highest_risk_score\":10,\"host_name\":\"DESKTOP-008\",\"last_sync_ts\":\"2022-01-17T08:33:37.384932Z\",\"name\":\"DESKTOP-008KK\",\"os_info\":{\"os_arch\":\"64-bit\",\"os_name\":\"Microsoft Windows 10 Education\",\"os_type\":\"WINDOWS\",\"os_version\":\"10.0.17763\"},\"severity\":\"CRITICAL\",\"sync_status\":\"COMPLETED\",\"sync_type\":\"SCHEDULED\",\"type\":\"ENDPOINT\",\"vm_id\":\"\",\"vm_name\":\"\",\"vuln_count\":1770}" - }, - "host": { - "hostname": "DESKTOP-008", - "id": "8", - "name": "DESKTOP-008KK", - "os": { - "name": "Microsoft Windows 10 Education", - "type": "windows", - "version": "10.0.17763" - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "hosts": [ - "DESKTOP-008" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-asset-vulnerability-summary" - ], - "vulnerability": { - "score": { - "base": 10 - }, - "severity": "CRITICAL" - } -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/1.0.2/data_stream/audit/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 2693bd2bbb..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/audit/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,32 +0,0 @@ -config_version: 2 -interval: {{interval}} -request.method: GET - -{{#if proxy_url}} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} - -request.url: {{hostname}}/integrationServices/v3/auditlogs -request.transforms: - - set: - target: header.X-Auth-Token - value: {{api_secret_key}}/{{api_id}} -response.split: - target: body.notifications -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.0.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 55cc7106f9..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,93 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud audit logs -processors: - - set: - field: ecs.version - value: '8.0.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.eventTime - target_field: "@timestamp" - ignore_failure: true - formats: - - UNIX_MS - - set: - field: event.kind - value: event - - set: - field: event.outcome - value: success - - set: - field: event.outcome - value: failure - if: ctx?.json?.flagged == true - - rename: - field: json.description - target_field: event.reason - - rename: - field: json.clientIp - target_field: client.ip - ignore_missing: true - - rename: - field: json.loginName - target_field: client.user.id - ignore_missing: true - - rename: - field: json.eventId - target_field: event.id - ignore_missing: true - - rename: - field: json.orgName - target_field: organization.name - ignore_missing: true - - urldecode: - field: json.requestUrl - target_field: url.original - ignore_missing: true - - rename: - field: json.verbose - target_field: carbon_black_cloud.audit.verbose - ignore_missing: true - - rename: - field: json.flagged - target_field: carbon_black_cloud.audit.flagged - ignore_missing: true - - append: - field: related.ip - value: "{{{client.ip}}}" - allow_duplicates: false - - remove: - field: json - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/audit/fields/agent.yml b/packages/carbon_black_cloud/1.0.2/data_stream/audit/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/audit/fields/base-fields.yml b/packages/carbon_black_cloud/1.0.2/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index a14e71251a..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: carbon_black_cloud.audit diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/audit/fields/ecs.yml b/packages/carbon_black_cloud/1.0.2/data_stream/audit/fields/ecs.yml deleted file mode 100755 index b5cd2cc086..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,55 +0,0 @@ -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: organization.name - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/audit/fields/fields.yml b/packages/carbon_black_cloud/1.0.2/data_stream/audit/fields/fields.yml deleted file mode 100755 index 24af5d42b9..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: carbon_black_cloud.audit - type: group - fields: - - name: flagged - type: boolean - description: true if action is failed otherwise false. - - name: verbose - type: boolean - description: true if verbose audit log otherwise false. diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/audit/manifest.yml b/packages/carbon_black_cloud/1.0.2/data_stream/audit/manifest.yml deleted file mode 100755 index 929093a4ef..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/audit/manifest.yml +++ /dev/null @@ -1,42 +0,0 @@ -title: Audit -type: logs -streams: - - input: httpjson - title: Collect audit logs from Carbon Black Cloud - description: Collect audit logs from Carbon Black Cloud. - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval - description: Interval to fetch audit logs from Carbon Black Cloud. - multi: false - required: true - show_user: true - default: 1m - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/audit/sample_event.json b/packages/carbon_black_cloud/1.0.2/data_stream/audit/sample_event.json deleted file mode 100755 index 4ecd8ed454..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/audit/sample_event.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "@timestamp": "2022-02-10T16:04:30.263Z", - "agent": { - "ephemeral_id": "6472e86c-fc7c-478a-a6fd-12ed19fe05c9", - "hostname": "docker-fleet-agent", - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "carbon_black_cloud": { - "audit": { - "flagged": false, - "verbose": false - } - }, - "client": { - "ip": "10.10.10.10", - "user": { - "id": "abc@demo.com" - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-04-14T11:48:30.094Z", - "dataset": "carbon_black_cloud.audit", - "id": "2122f8ce8xxxxxxxxxxxxx", - "ingested": "2022-04-14T11:48:31Z", - "kind": "event", - "original": "{\"clientIp\":\"10.10.10.10\",\"description\":\"Logged in successfully\",\"eventId\":\"2122f8ce8xxxxxxxxxxxxx\",\"eventTime\":1644509070263,\"flagged\":false,\"loginName\":\"abc@demo.com\",\"orgName\":\"cb-xxxx-xxxx.com\",\"requestUrl\":null,\"verbose\":false}", - "outcome": "success", - "reason": "Logged in successfully" - }, - "input": { - "type": "httpjson" - }, - "organization": { - "name": "cb-xxxx-xxxx.com" - }, - "related": { - "ip": [ - "10.10.10.10" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-audit" - ] -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/1.0.2/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index e02c596614..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -bucket_arn: {{bucket_arn}} -number_of_workers: {{number_of_workers}} -bucket_list_interval: {{interval}} -access_key_id: {{access_key_id}} -secret_access_key: {{secret_access_key}} -bucket_list_prefix: {{bucket_list_prefix}} -expand_event_list_from_field: Records -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.0.2/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 3a6c8fc6df..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,587 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud Endpoint Events. -processors: - - set: - field: ecs.version - value: '8.0.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.create_time - target_field: "@timestamp" - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.action - target_field: event.action - ignore_missing: true - - rename: - field: json.event_id - target_field: event.id - ignore_missing: true - - rename: - field: json.event_description - target_field: event.reason - ignore_missing: true - - rename: - field: json.filemod_name - target_field: file.path - ignore_missing: true - - rename: - field: json.modload_name - target_field: dll.path - ignore_missing: true - - set: - field: network.transport - value: udp - if: ctx?.json?.netconn_protocol == "PROTO_UDP" - - set: - field: network.transport - value: tcp - if: ctx?.json?.netconn_protocol == "PROTO_TCP" - - set: - field: network.direction - value: inbound - if: ctx?.json?.netconn_inbound == true - - set: - field: network.direction - value: outbound - if: ctx?.json?.netconn_inbound == false - - rename: - field: json.remote_port - target_field: source.port - ignore_missing: true - - rename: - field: json.remote_ip - target_field: source.ip - ignore_missing: true - - rename: - field: json.netconn_domain - target_field: source.address - ignore_missing: true - - rename: - field: json.local_port - target_field: client.port - ignore_missing: true - - rename: - field: json.local_ip - target_field: client.ip - ignore_missing: true - - convert: - field: json.device_id - target_field: host.id - type: string - ignore_missing: true - - set: - field: host.os.type - value: windows - if: ctx?.json?.device_os == "WINDOWS" - - set: - field: host.os.type - value: linux - if: ctx?.json?.device_os == "LINUX" - - set: - field: host.os.type - value: macos - if: ctx?.json?.device_os == "MAC" - - rename: - field: json.device_name - target_field: host.hostname - ignore_missing: true - - grok: - field: host.hostname - patterns: - - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$' - ignore_missing: true - ignore_failure: true - - set: - field: host.name - value: "{{{host.hostname}}}" - ignore_failure: true - - rename: - field: json.device_group - target_field: host.os.family - ignore_missing: true - - append: - field: host.ip - value: "{{{json.device_internal_ip}}}" - if: ctx?.json?.device_internal_ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_external_ip}}}" - if: ctx?.json?.device_external_ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.device_group - target_field: host.os.family - ignore_missing: true - - rename: - field: json.process_cmdline - target_field: process.command_line - ignore_missing: true - - rename: - field: json.process_guid - target_field: process.entity_id - ignore_missing: true - - rename: - field: json.process_path - target_field: process.executable - ignore_missing: true - - rename: - field: json.process_pid - target_field: process.pid - ignore_missing: true - - rename: - field: json.parent_cmdline - target_field: process.parent.command_line - ignore_missing: true - - rename: - field: json.parent_guid - target_field: process.parent.entity_id - ignore_missing: true - - rename: - field: json.parent_path - target_field: process.parent.executable - ignore_missing: true - - rename: - field: json.parent_pid - target_field: process.parent.pid - ignore_missing: true - - rename: - field: json.regmod_name - target_field: registry.path - ignore_missing: true - - append: - field: related.ip - value: - - "{{{json.device_internal_ip}}}" - - "{{{json.device_external_ip}}}" - - "{{{json.netconn_proxy_ip}}}" - - "{{{source.ip}}}" - - "{{{client.ip}}}" - allow_duplicates: false - - append: - field: related.user - value: - - "{{{json.process_username}}}" - - "{{{json.childproc_username}}}" - allow_duplicates: false - - append: - field: related.hosts - value: - - "{{{host.hostname}}}" - - "{{{user.domain}}}" - allow_duplicates: false - - script: - description: Dynamically map MD5 and SHA256 hash - lang: painless - source: | - void mapHashField(def ctx, def hashes, def key) { - for (hash in hashes) { - if (hash.length() == 32) {ctx["json"][key + "_md5"] = hash;} - if (hash.length() == 64) {ctx["json"][key + "_sha256"] = hash;} - } - } - if (ctx.json?.process_hash instanceof List) { - mapHashField(ctx, ctx.json?.process_hash, "process_hash"); - } - if (ctx.json?.parent_hash instanceof List) { - mapHashField(ctx, ctx.json?.parent_hash, "parent_hash"); - } - if (ctx.json?.filemod_hash instanceof List) { - mapHashField(ctx, ctx.json?.filemod_hash, "filemod_hash"); - } - if (ctx.json?.childproc_hash instanceof List) { - mapHashField(ctx, ctx.json?.childproc_hash, "childproc_hash"); - } - if (ctx.json?.crossproc_hash instanceof List) { - mapHashField(ctx, ctx.json?.crossproc_hash, "crossproc_hash"); - } - if (ctx.json?.scriptload_hash instanceof List) { - mapHashField(ctx, ctx.json?.scriptload_hash, "scriptload_hash"); - } - - rename: - field: json.process_hash_md5 - target_field: process.hash.md5 - ignore_missing: true - - rename: - field: json.process_hash_sha256 - target_field: process.hash.sha256 - ignore_missing: true - - rename: - field: json.parent_hash_md5 - target_field: process.parent.hash.md5 - ignore_missing: true - - rename: - field: json.parent_hash_sha256 - target_field: process.parent.hash.sha256 - ignore_missing: true - - rename: - field: json.backend_timestamp - target_field: carbon_black_cloud.endpoint_event.backend.timestamp - ignore_missing: true - - rename: - field: json.device_timestamp - target_field: carbon_black_cloud.endpoint_event.device.timestamp - ignore_missing: true - - rename: - field: json.device_os - target_field: carbon_black_cloud.endpoint_event.device.os - ignore_missing: true - - rename: - field: json.childproc_name - target_field: carbon_black_cloud.endpoint_event.childproc.name - ignore_missing: true - - rename: - field: json.org_key - target_field: carbon_black_cloud.endpoint_event.organization_key - ignore_missing: true - - rename: - field: json.process_duration - target_field: carbon_black_cloud.endpoint_event.process.duration - ignore_missing: true - - foreach: - field: json.process_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.process_publisher - target_field: carbon_black_cloud.endpoint_event.process.publisher - ignore_missing: true - - rename: - field: json.process_reputation - target_field: carbon_black_cloud.endpoint_event.process.reputation - ignore_missing: true - - rename: - field: json.process_terminated - target_field: carbon_black_cloud.endpoint_event.process.terminated - ignore_missing: true - - rename: - field: json.process_username - target_field: carbon_black_cloud.endpoint_event.process.username - ignore_missing: true - - rename: - field: json.parent_reputation - target_field: carbon_black_cloud.endpoint_event.process.parent.reputation - ignore_missing: true - - rename: - field: json.target_cmdline - target_field: carbon_black_cloud.endpoint_event.target_cmdline - ignore_missing: true - - rename: - field: json.type - target_field: carbon_black_cloud.endpoint_event.type - ignore_missing: true - -# Mapping for endpoint.event.crossproc event type - - - rename: - field: json.crossproc_action - target_field: carbon_black_cloud.endpoint_event.crossproc.action - ignore_missing: true - - rename: - field: json.crossproc_api - target_field: carbon_black_cloud.endpoint_event.crossproc.api - ignore_missing: true - - rename: - field: json.crossproc_guid - target_field: carbon_black_cloud.endpoint_event.crossproc.guid - ignore_missing: true - - rename: - field: json.crossproc_name - target_field: carbon_black_cloud.endpoint_event.crossproc.name - ignore_missing: true - - rename: - field: json.crossproc_target - target_field: carbon_black_cloud.endpoint_event.crossproc.target - ignore_missing: true - - rename: - field: json.crossproc_reputation - target_field: carbon_black_cloud.endpoint_event.crossproc.reputation - ignore_missing: true - - foreach: - field: json.crossproc_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.crossproc_publisher - target_field: carbon_black_cloud.endpoint_event.crossproc.publisher - ignore_missing: true - - rename: - field: json.crossproc_hash_md5 - target_field: carbon_black_cloud.endpoint_event.crossproc.hash.md5 - ignore_missing: true - - rename: - field: json.crossproc_hash_sha256 - target_field: carbon_black_cloud.endpoint_event.crossproc.hash.sha256 - ignore_missing: true - -# Mapping for endpoint.event.filemod event type - - - rename: - field: json.filemod_hash_md5 - target_field: file.hash.md5 - ignore_missing: true - - rename: - field: json.filemod_hash_sha256 - target_field: file.hash.sha256 - ignore_missing: true - -# Mapping for endpoint.event.fileless_scriptload event type - - - rename: - field: json.fileless_scriptload_cmdline - target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline - ignore_missing: true - - rename: - field: json.fileless_scriptload_cmdline_length - target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline_length - ignore_missing: true - - rename: - field: json.fileless_scriptload_hash_md5 - target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5 - ignore_missing: true - - rename: - field: json.fileless_scriptload_hash_sha256 - target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256 - ignore_missing: true - -# Mapping for endpoint.event.moduleload event type - - - rename: - field: json.modload_md5 - target_field: dll.hash.md5 - ignore_missing: true - - rename: - field: json.modload_sha256 - target_field: dll.hash.sha256 - ignore_missing: true - - rename: - field: json.modload_effective_reputation - target_field: carbon_black_cloud.endpoint_event.modload.effective_reputation - ignore_missing: true - - rename: - field: json.modload_count - target_field: carbon_black_cloud.endpoint_event.modload.count - ignore_missing: true - - foreach: - field: json.modload_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.modload_publisher - target_field: carbon_black_cloud.endpoint_event.modload.publisher - ignore_missing: true - -# Mapping for endpoint.event.netconn_proxy event type - - - rename: - field: json.netconn_proxy_domain - target_field: carbon_black_cloud.endpoint_event.netconn.proxy.domain - ignore_missing: true - - rename: - field: json.netconn_proxy_port - target_field: carbon_black_cloud.endpoint_event.netconn.proxy.port - ignore_missing: true - - rename: - field: json.netconn_proxy_ip - target_field: carbon_black_cloud.endpoint_event.netconn.proxy.ip - ignore_missing: true - -# Mapping for endpoint.event.procstart event type - - - rename: - field: json.childproc_guid - target_field: carbon_black_cloud.endpoint_event.childproc.guid - ignore_missing: true - - rename: - field: json.childproc_name - target_field: carbon_black_cloud.endpoint_event.childproc.name - ignore_missing: true - - rename: - field: json.childproc_pid - target_field: carbon_black_cloud.endpoint_event.childproc.pid - ignore_missing: true - - foreach: - field: json.childproc_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.childproc_publisher - target_field: carbon_black_cloud.endpoint_event.childproc.publisher - ignore_missing: true - - rename: - field: json.childproc_reputation - target_field: carbon_black_cloud.endpoint_event.childproc.reputation - ignore_missing: true - - rename: - field: json.childproc_username - target_field: carbon_black_cloud.endpoint_event.childproc.username - ignore_missing: true - - rename: - field: json.childproc_hash_md5 - target_field: carbon_black_cloud.endpoint_event.childproc.hash.md5 - ignore_missing: true - - rename: - field: json.childproc_hash_sha256 - target_field: carbon_black_cloud.endpoint_event.childproc.hash.sha256 - ignore_missing: true - -# Mapping for NGAV endpoint.event.scriptload event type - - - rename: - field: json.scriptload_name - target_field: carbon_black_cloud.endpoint_event.scriptload.name - ignore_missing: true - - foreach: - field: json.scriptload_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.scriptload_publisher - target_field: carbon_black_cloud.endpoint_event.scriptload.publisher - ignore_missing: true - - rename: - field: json.scriptload_count - target_field: carbon_black_cloud.endpoint_event.scriptload.count - ignore_missing: true - - rename: - field: json.scriptload_hash_md5 - target_field: carbon_black_cloud.endpoint_event.scriptload.hash.md5 - ignore_missing: true - - rename: - field: json.scriptload_hash_sha256 - target_field: carbon_black_cloud.endpoint_event.scriptload.hash.sha256 - ignore_missing: true - - rename: - field: json.scriptload_effective_reputation - target_field: carbon_black_cloud.endpoint_event.scriptload.effective_reputation - ignore_missing: true - - rename: - field: json.scriptload_reputation - target_field: carbon_black_cloud.endpoint_event.scriptload.reputation - ignore_missing: true - - rename: - field: json.device_internal_ip - target_field: carbon_black_cloud.endpoint_event.device.internal_ip - ignore_missing: true - - rename: - field: json.device_external_ip - target_field: carbon_black_cloud.endpoint_event.device.external_ip - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - - append: - field: related.hash - value: - - "{{{process.hash.md5}}}" - - "{{{process.hash.sha256}}}" - - "{{{process.parent.hash.md5}}}" - - "{{{process.parent.hash.sha256}}}" - - "{{{file.hash.md5}}}" - - "{{{file.hash.sha256}}}" - - "{{{dll.hash.md5}}}" - - "{{{dll.hash.sha256}}}" - - "{{{carbon_black_cloud.endpoint_event.childproc.hash.md5}}}" - - "{{{carbon_black_cloud.endpoint_event.childproc.hash.sha256}}}" - - "{{{carbon_black_cloud.endpoint_event.crossproc.hash.md5}}}" - - "{{{carbon_black_cloud.endpoint_event.crossproc.hash.sha256}}}" - - "{{{carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5}}}" - - "{{{carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256}}}" - - "{{{carbon_black_cloud.endpoint_event.scriptload.hash.md5}}}" - - "{{{carbon_black_cloud.endpoint_event.scriptload.hash.sha256}}}" - allow_duplicates: false - - script: - description: Adds all the remaining fields in fields under carbon_black_cloud.endpoint_event - lang: painless - if: ctx?.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.carbon_black_cloud.endpoint_event[m.getKey()] = m.getValue(); - } - - remove: - field: - - json - - carbon_black_cloud.endpoint_event.create_time - - carbon_black_cloud.endpoint_event.device_id - - carbon_black_cloud.endpoint_event.process_hash - - carbon_black_cloud.endpoint_event.parent_hash - - carbon_black_cloud.endpoint_event.crossproc_hash - - carbon_black_cloud.endpoint_event.filemod_hash - - carbon_black_cloud.endpoint_event.childproc_hash - - carbon_black_cloud.endpoint_event.modload_hash - - carbon_black_cloud.endpoint_event.scriptload_hash - - carbon_black_cloud.endpoint_event.netconn_inbound - - carbon_black_cloud.endpoint_event.netconn_protocol - ignore_missing: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - script: - description: Remove duplicate values - lang: painless - source: | - if (ctx?.related?.user != null) { - ctx.related.user = new HashSet(ctx.related.user) - } - if (ctx?.related?.hash != null) { - ctx.related.hash = new HashSet(ctx.related.hash) - } - if (ctx?.related?.ip != null) { - ctx.related.ip = new HashSet(ctx.related.ip) - } -on_failure: - - set: - field: error.message - value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/endpoint_event/fields/agent.yml b/packages/carbon_black_cloud/1.0.2/data_stream/endpoint_event/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/endpoint_event/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/endpoint_event/fields/base-fields.yml b/packages/carbon_black_cloud/1.0.2/data_stream/endpoint_event/fields/base-fields.yml deleted file mode 100755 index 9b3253d2db..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/endpoint_event/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: carbon_black_cloud.endpoint_event diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/endpoint_event/fields/ecs.yml b/packages/carbon_black_cloud/1.0.2/data_stream/endpoint_event/fields/ecs.yml deleted file mode 100755 index 11a1880a0a..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/endpoint_event/fields/ecs.yml +++ /dev/null @@ -1,193 +0,0 @@ -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: MD5 hash. - name: dll.hash.md5 - type: keyword -- description: SHA256 hash. - name: dll.hash.sha256 - type: keyword -- description: Full file path of the library. - name: dll.path - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: host.os.family - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: host.os.name - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.hash.sha256 - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.parent.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.parent.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.parent.executable - type: keyword -- description: MD5 hash. - name: process.parent.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.parent.hash.sha256 - type: keyword -- description: Process id. - name: process.parent.pid - type: long -- description: Process id. - name: process.pid - type: long -- description: Full path, including hive, key and value - name: registry.path - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/endpoint_event/fields/fields.yml b/packages/carbon_black_cloud/1.0.2/data_stream/endpoint_event/fields/fields.yml deleted file mode 100755 index 199988ffb6..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/endpoint_event/fields/fields.yml +++ /dev/null @@ -1,239 +0,0 @@ -- name: carbon_black_cloud.endpoint_event - type: group - fields: - - name: alert_id - type: keyword - description: The ID of the Alert this event is associated with. - - name: backend - type: group - fields: - - name: timestamp - type: keyword - description: Time when the backend received the batch of events. - - name: childproc - type: group - fields: - - name: guid - type: keyword - description: Unique ID of the child process. - - name: hash - type: group - fields: - - name: md5 - type: keyword - description: Cryptographic MD5 hashes of the executable file backing the child process. - - name: sha256 - type: keyword - description: Cryptographic SHA256 hashes of the executable file backing the child process. - - name: name - type: keyword - description: Full path to the target of the crossproc event on the device's local file system. - - name: pid - type: long - description: OS-reported Process ID of the child process. - - name: publisher - type: group - description: Signature entry for the childproc as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Carbon Black Cloud Reputation string for the childproc. - - name: username - type: keyword - description: The username associated with the user context that the child process was started under. - - name: crossproc - type: group - fields: - - name: action - type: keyword - description: The action taken on cross-process. - - name: api - type: keyword - description: Name of the operating system API called by the actor process. - - name: guid - type: keyword - description: Unique ID of the cross process. - - name: hash - type: group - fields: - - name: md5 - type: keyword - description: Cryptographic MD5 hashes of the target of the crossproc event. - - name: sha256 - type: keyword - description: Cryptographic SHA256 hashes of the target of the crossproc event. - - name: name - type: keyword - description: Full path to the target of the crossproc event on the device's local file system. - - name: publisher - type: group - description: Signature entry for the crossproc as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Carbon Black Cloud Reputation string for the crossproc. - - name: target - type: boolean - description: True if the process was the target of the cross-process event; false if the process was the actor. - - name: device - type: group - fields: - - name: os - type: keyword - description: Os name. - - name: timestamp - type: keyword - description: Time seen on sensor. - - name: internal_ip - type: ip - description: Internal IP of the device. - - name: external_ip - type: ip - description: External IP of the device. - - name: event_origin - type: keyword - description: Indicates which product the event came from. "EDR" indicates the event originated from Enterprise EDR. "NGAV" indicates the event originated from Endpoint Standard. - - name: fileless_scriptload - type: group - fields: - - name: cmdline - type: keyword - description: Deobfuscated script content run in a fileless context by the process. - - name: cmdline_length - type: keyword - description: Character count of the deobfuscated script content run in a fileless context. - - name: hash - type: group - fields: - - name: md5 - type: keyword - description: MD5 hash of the deobfuscated script content run by the process in a fileless context. - - name: sha256 - type: keyword - description: SHA-256 hash of the deobfuscated script content run by the process in a fileless context. - - name: modload - type: group - fields: - - name: count - type: long - description: Count of modload events reported by the sensor since last initialization. - - name: effective_reputation - type: keyword - description: Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred. - - name: publisher - type: group - description: Signature entry for the moduleload as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: netconn - type: group - fields: - - name: proxy - type: group - fields: - - name: domain - type: keyword - description: DNS name associated with the "proxy" end of this network connection; may be empty if the name cannot be inferred or the connection is made direct to/from a proxy IP address. - - name: ip - type: keyword - description: IPv4 or IPv6 address in string format associated with the "proxy" end of this network connection. - - name: port - type: keyword - description: UDP/TCP port number associated with the "proxy" end of this network connection. - - name: organization_key - type: keyword - description: The organization key associated with the console instance. - - name: process - type: group - fields: - - name: duration - type: long - description: The time difference in seconds between the process start and process terminate event. - - name: parent - type: group - fields: - - name: reputation - type: keyword - description: Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. - - name: publisher - type: group - description: Signature entry for the process as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. - - name: terminated - type: boolean - description: True if process was terminated elase false. - - name: username - type: keyword - description: The username associated with the user context that this process was started under. - - name: schema - type: long - description: The schema version. The current schema version is "1". This schema version will only be incremented if the field definitions are changed in a backwards-incompatible way. - - name: scriptload - type: group - fields: - - name: count - type: long - description: Count of scriptload events across all processes reported by the sensor since last initialization. - - name: effective_reputation - type: keyword - description: Effective reputation(s) of the script file(s) loaded at process launch; applied by the sensor when the event occurred. - - name: hash - type: group - fields: - - name: md5 - type: keyword - description: Cryptographic MD5 hashes of the target of the scriptload event. - - name: sha256 - type: keyword - description: Cryptographic SHA256 hashes of the target of the scriptload event. - - name: name - type: keyword - description: Full path to the target of the crossproc event on the device's local file system. - - name: publisher - type: group - description: Signature entry for the scriptload as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Carbon Black Cloud Reputation string for the scriptload. - - name: sensor_action - type: keyword - description: The sensor action taken on event. - - name: target_cmdline - type: keyword - description: Process command line associated with the target process. - - name: type - type: keyword - description: The event type. diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/endpoint_event/manifest.yml b/packages/carbon_black_cloud/1.0.2/data_stream/endpoint_event/manifest.yml deleted file mode 100755 index 0f52e82022..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/endpoint_event/manifest.yml +++ /dev/null @@ -1,48 +0,0 @@ -title: Endpoint Event -type: logs -streams: - - input: aws-s3 - title: Collect endpoint events from Carbon Black Cloud - description: Collect endpoint events from Carbon Black Cloud. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: Bucket Prefix - description: Prefix to apply for the list request to the S3 bucket. - multi: false - required: true - show_user: true - - name: interval - type: text - title: Interval - description: Interval to fetch endpoint events from AWS S3 bucket. - multi: false - required: true - show_user: true - default: 1m - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-endpoint-event - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/endpoint_event/sample_event.json b/packages/carbon_black_cloud/1.0.2/data_stream/endpoint_event/sample_event.json deleted file mode 100755 index 958377158a..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/endpoint_event/sample_event.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "process": { - "parent": { - "pid": 1684, - "entity_id": "XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62", - "command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\GuestAgent\\WindowsAzureGuestAgent.exe", - "executable": "c:\\windowsazure\\guestagent_2.7.41491.1010_2021-05-11_233023\\guestagent\\windowsazureguestagent.exe", - "hash": { - "sha256": "44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5", - "md5": "03dd698da2671383c9b4f868c9931879" - } - }, - "pid": 4880, - "entity_id": "XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37", - "command_line": "\"route.exe\" print", - "executable": "c:\\windows\\system32\\route.exe", - "hash": { - "sha256": "9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6", - "md5": "2498272dc48446891182747428d02a30" - } - }, - "ecs": { - "version": "8.0.0" - }, - "carbon_black_cloud": { - "endpoint_event": { - "schema": 1, - "event_origin": "EDR", - "process": { - "duration": 2, - "parent": { - "reputation": "REP_RESOLVING" - }, - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_RESOLVING", - "terminated": true, - "username": "NT AUTHORITY\\SYSTEM" - }, - "organization_key": "XXXXXXXX", - "backend": { - "timestamp": "2022-02-10 11:52:50 +0000 UTC" - }, - "target_cmdline": "\"route.exe\" print", - "type": "endpoint.event.procend", - "device": { - "os": "WINDOWS", - "timestamp": "2022-02-10 11:51:35.0684097 +0000 UTC", - "external_ip": "67.43.156.12" - }, - "sensor_action": "ACTION_ALLOW" - } - }, - "host": { - "hostname": "client-cb2", - "id": "4034605", - "os": { - "type": "windows" - }, - "ip": [ - "67.43.156.13" - ] - }, - "event": { - "action": "ACTION_PROCESS_TERMINATE", - "orignal": "{\"type\":\"endpoint.event.procend\",\"process_guid\":\"XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37\",\"parent_guid\":\"XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62\",\"backend_timestamp\":\"2022-02-10 11:52:50 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"4034605\",\"device_name\":\"client-cb2\",\"device_external_ip\":\"67.43.156.13\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_PROCESS_TERMINATE\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:51:35.0684097 +0000 UTC\",\"process_terminated\":true,\"process_duration\":2,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":4880,\"parent_pid\":1684,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_path\":\"c:\\\\windows\\\\system32\\\\route.exe\",\"parent_path\":\"c:\\\\windowsazure\\\\guestagent_2.7.41491.1010_2021-05-11_233023\\\\guestagent\\\\windowsazureguestagent.exe\",\"process_hash\":[\"2498272dc48446891182747428d02a30\",\"9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6\"],\"parent_hash\":[\"03dd698da2671383c9b4f868c9931879\",\"44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5\"],\"process_cmdline\":\"\\\"route.exe\\\" print\",\"parent_cmdline\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\\\GuestAgent\\\\WindowsAzureGuestAgent.exe\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"target_cmdline\":\"\\\"route.exe\\\" print\"}" - }, - "data_stream": { - "dataset": "carbon_black_cloud.endpoint_event", - "namespace": "ep", - "type": "logs" - }, - "elastic_agent": { - "id": "3b20ea47-9610-412d-97e3-47cd19b7e4d5", - "snapshot": true, - "version": "8.0.0" - }, - "input": { - "type": "aws-s3" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-endpoint-event" - ] -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/1.0.2/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index e02c596614..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -bucket_arn: {{bucket_arn}} -number_of_workers: {{number_of_workers}} -bucket_list_interval: {{interval}} -access_key_id: {{access_key_id}} -secret_access_key: {{secret_access_key}} -bucket_list_prefix: {{bucket_list_prefix}} -expand_event_list_from_field: Records -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.0.2/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 1699bc69c1..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,293 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud watchlist hit. -processors: - - set: - field: ecs.version - value: '8.0.0' - - set: - field: event.kind - value: event - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.create_time - target_field: "@timestamp" - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.severity - target_field: event.severity - ignore_missing: true - - convert: - field: json.device_id - target_field: host.id - type: string - ignore_missing: true - - set: - field: host.os.type - value: windows - if: ctx?.json?.device_os == "WINDOWS" - - set: - field: host.os.type - value: linux - if: ctx?.json?.device_os == "LINUX" - - set: - field: host.os.type - value: macos - if: ctx?.json?.device_os == "MAC" - - rename: - field: json.device_os_version - target_field: host.os.version - ignore_missing: true - - rename: - field: json.device_name - target_field: host.hostname - ignore_missing: true - - grok: - field: host.hostname - patterns: - - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$' - ignore_missing: true - ignore_failure: true - - set: - field: host.name - value: "{{{host.hostname}}}" - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_internal_ip}}}" - if: ctx?.json?.device_internal_ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_external_ip}}}" - if: ctx?.json?.device_external_ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.process_cmdline - target_field: process.command_line - ignore_missing: true - - rename: - field: json.process_guid - target_field: process.entity_id - ignore_missing: true - - rename: - field: json.process_path - target_field: process.executable - ignore_missing: true - - rename: - field: json.process_pid - target_field: process.pid - ignore_missing: true - - rename: - field: json.parent_cmdline - target_field: process.parent.command_line - ignore_missing: true - - rename: - field: json.parent_guid - target_field: process.parent.entity_id - ignore_missing: true - - rename: - field: json.parent_path - target_field: process.parent.executable - ignore_missing: true - - rename: - field: json.parent_pid - target_field: process.parent.pid - ignore_missing: true - - append: - field: related.ip - value: - - "{{{json.device_internal_ip}}}" - - "{{{json.device_external_ip}}}" - allow_duplicates: false - - append: - field: related.user - value: - - "{{{json.parent_username}}}" - - "{{{json.process_username}}}" - allow_duplicates: false - - append: - field: related.hosts - value: - - "{{{host.hostname}}}" - - "{{{user.domain}}}" - allow_duplicates: false - - script: - description: Dynamically map MD5 and SHA256 hash - lang: painless - source: | - void mapHashField(def ctx, def hashes, def key) { - for (hash in hashes) { - if (hash.length() == 32) {ctx["json"][key + "_md5"] = hash;} - if (hash.length() == 64) {ctx["json"][key + "_sha256"] = hash;} - } - } - if (ctx.json?.process_hash instanceof List) { - mapHashField(ctx, ctx.json?.process_hash, "process_hash"); - } - if (ctx.json?.parent_hash instanceof List) { - mapHashField(ctx, ctx.json?.parent_hash, "parent_hash"); - } - - rename: - field: json.process_hash_md5 - target_field: process.hash.md5 - ignore_missing: true - - rename: - field: json.process_hash_sha256 - target_field: process.hash.sha256 - ignore_missing: true - - rename: - field: json.parent_hash_md5 - target_field: process.parent.hash.md5 - ignore_missing: true - - rename: - field: json.parent_hash_sha256 - target_field: process.parent.hash.sha256 - ignore_missing: true - - append: - field: related.hash - value: - - "{{{process.hash.md5}}}" - - "{{{process.hash.sha256}}}" - - "{{{process.parent.hash.md5}}}" - - "{{{process.parent.hash.sha256}}}" - allow_duplicates: false - - rename: - field: json.device_os - target_field: carbon_black_cloud.watchlist_hit.device.os - ignore_missing: true - - rename: - field: json.device_internal_ip - target_field: carbon_black_cloud.watchlist_hit.device.internal_ip - ignore_missing: true - - rename: - field: json.device_external_ip - target_field: carbon_black_cloud.watchlist_hit.device.external_ip - ignore_missing: true - - rename: - field: json.ioc_hit - target_field: carbon_black_cloud.watchlist_hit.ioc.hit - ignore_missing: true - - rename: - field: json.ioc_id - target_field: carbon_black_cloud.watchlist_hit.ioc.id - ignore_missing: true - - rename: - field: json.org_key - target_field: carbon_black_cloud.watchlist_hit.organization_key - ignore_missing: true - - foreach: - field: json.parent_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.parent_publisher - target_field: carbon_black_cloud.watchlist_hit.process.parent.publisher - ignore_missing: true - - rename: - field: json.parent_reputation - target_field: carbon_black_cloud.watchlist_hit.process.parent.reputation - ignore_missing: true - - rename: - field: json.parent_username - target_field: carbon_black_cloud.watchlist_hit.process.parent.username - ignore_missing: true - - foreach: - field: json.process_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.process_publisher - target_field: carbon_black_cloud.watchlist_hit.process.publisher - ignore_missing: true - - rename: - field: json.process_reputation - target_field: carbon_black_cloud.watchlist_hit.process.reputation - ignore_missing: true - - rename: - field: json.process_username - target_field: carbon_black_cloud.watchlist_hit.process.username - ignore_missing: true - - rename: - field: json.report_id - target_field: carbon_black_cloud.watchlist_hit.report.id - ignore_missing: true - - rename: - field: json.report_name - target_field: carbon_black_cloud.watchlist_hit.report.name - ignore_missing: true - - rename: - field: json.report_tags - target_field: carbon_black_cloud.watchlist_hit.report.tags - ignore_missing: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - - script: - description: Adds all the remaining fields in fields under carbon_black_cloud.watchlist_hit - lang: painless - if: ctx?.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.carbon_black_cloud.watchlist_hit[m.getKey()] = m.getValue(); - } - - remove: - field: - - json - - carbon_black_cloud.watchlist_hit.create_time - - carbon_black_cloud.watchlist_hit.device_id - - carbon_black_cloud.watchlist_hit.process_hash - - carbon_black_cloud.watchlist_hit.parent_hash - ignore_missing: true - - script: - description: Remove duplicate values - lang: painless - source: | - if (ctx?.related?.user != null) { - ctx.related.user = new HashSet(ctx.related.user) - } - if (ctx?.related?.hash != null) { - ctx.related.hash = new HashSet(ctx.related.hash) - } -on_failure: - - set: - field: error.message - value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/watchlist_hit/fields/agent.yml b/packages/carbon_black_cloud/1.0.2/data_stream/watchlist_hit/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/watchlist_hit/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/watchlist_hit/fields/base-fields.yml b/packages/carbon_black_cloud/1.0.2/data_stream/watchlist_hit/fields/base-fields.yml deleted file mode 100755 index 89df536282..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/watchlist_hit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: carbon_black_cloud.watchlist_hit diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/watchlist_hit/fields/ecs.yml b/packages/carbon_black_cloud/1.0.2/data_stream/watchlist_hit/fields/ecs.yml deleted file mode 100755 index 5257b0ad7a..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/watchlist_hit/fields/ecs.yml +++ /dev/null @@ -1,127 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: host.os.type - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.hash.sha256 - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.parent.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.parent.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.parent.executable - type: keyword -- description: MD5 hash. - name: process.parent.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.parent.hash.sha256 - type: keyword -- description: Process id. - name: process.parent.pid - type: long -- description: Process id. - name: process.pid - type: long -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/watchlist_hit/fields/fields.yml b/packages/carbon_black_cloud/1.0.2/data_stream/watchlist_hit/fields/fields.yml deleted file mode 100755 index 25cb25005e..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/watchlist_hit/fields/fields.yml +++ /dev/null @@ -1,89 +0,0 @@ -- name: carbon_black_cloud.watchlist_hit - type: group - fields: - - name: device - type: group - fields: - - name: os - type: keyword - description: OS Type of device (Windows/OSX/Linux). - - name: internal_ip - type: ip - description: Internal IP of the device. - - name: external_ip - type: ip - description: External IP of the device. - - name: ioc - type: group - fields: - - name: field - type: keyword - description: Field the IOC hit contains. - - name: hit - type: keyword - description: IOC field value, or IOC query that matches. - - name: id - type: keyword - description: ID of the IOC that caused the hit. - - name: organization_key - type: keyword - description: The organization key associated with the console instance. - - name: process - type: group - fields: - - name: parent - type: group - fields: - - name: publisher - type: group - description: signature entry for the process as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. - - name: username - type: keyword - description: The username associated with the user context that this process was started under. - - name: publisher - type: group - description: signature entry for the process as reported by the endpoint. - - name: reputation - type: keyword - description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. - - name: username - type: keyword - description: The username associated with the user context that this process was started under. - - name: report - type: group - fields: - - name: id - type: keyword - description: ID of the watchlist report(s) that detected a hit on the process. - - name: name - type: keyword - description: Name of the watchlist report(s) that detected a hit on the process. - - name: tags - type: keyword - description: List of tags associated with the report(s) that detected a hit on the process. - - name: schema - type: long - description: Schema version. - - name: type - type: keyword - description: The watchlist hit type. - - name: watchlists - type: group - description: List of watchlists that contain the report of the ioc hit. - fields: - - name: id - type: keyword - description: The ID of the watchlists. - - name: name - type: keyword - description: The name of the watchlists. diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/watchlist_hit/manifest.yml b/packages/carbon_black_cloud/1.0.2/data_stream/watchlist_hit/manifest.yml deleted file mode 100755 index 7782458210..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/watchlist_hit/manifest.yml +++ /dev/null @@ -1,48 +0,0 @@ -title: Watchlist Hit -type: logs -streams: - - input: aws-s3 - title: Collect watchlist hit from Carbon Black Cloud - description: Collect watchlist hit from Carbon Black Cloud. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: Bucket Prefix - description: Prefix to apply for the list request to the S3 bucket. - multi: false - required: true - show_user: true - - name: interval - type: text - title: Interval - description: Interval to fetch watchlist hit from AWS S3 bucket. - multi: false - required: true - show_user: true - default: 1m - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-watchlist-hit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/carbon_black_cloud/1.0.2/data_stream/watchlist_hit/sample_event.json b/packages/carbon_black_cloud/1.0.2/data_stream/watchlist_hit/sample_event.json deleted file mode 100755 index 0a5e6c32fb..0000000000 --- a/packages/carbon_black_cloud/1.0.2/data_stream/watchlist_hit/sample_event.json +++ /dev/null @@ -1,130 +0,0 @@ -{ - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-watchlist-hit" - ], - "input": { - "type": "aws-s3" - }, - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "carbon_black_cloud.watchlist_hit" - }, - "agent": { - "id": "e0d5f508-9616-400f-b26b-bb1aa6638b80", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "process": { - "parent": { - "pid": 4076, - "entity_id": "7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1", - "command_line": "C:\\WINDOWS\\system32\\cmd.exe /c \"sc query aella_conf | findstr RUNNING \u003e null\"", - "executable": "c:\\windows\\syswow64\\cmd.exe", - "hash": { - "sha256": "4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22", - "md5": "d0fce3afa6aa1d58ce9fa336cc2b675b" - } - }, - "pid": 7516, - "entity_id": "7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6", - "command_line": "sc query aella_conf ", - "executable": "c:\\windows\\syswow64\\sc.exe", - "hash": { - "sha256": "4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2", - "md5": "d9d7684b8431a0d10d0e76fe9f5ffec8" - } - }, - "carbon_black_cloud": { - "watchlist_hit": { - "schema": 1, - "process": { - "parent": { - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_WHITE", - "username": "NT AUTHORITY\\SYSTEM" - }, - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_WHITE", - "username": "NT AUTHORITY\\SYSTEM" - }, - "organization_key": "xxxxxxxx", - "report": { - "name": "Discovery - System Service Discovery Detected", - "id": "CFnKBKLTv6hUkBGFobRdg-565571", - "tags": [ - "attack", - "attackframework", - "threathunting", - "hunting", - "t1007", - "recon", - "discovery", - "windows" - ] - }, - "watchlists": [ - { - "name": "ATT\u0026CK Framework", - "id": "P5f9AW29TGmTOvBW156Cig" - } - ], - "type": "watchlist.hit", - "ioc": { - "hit": "((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true", - "id": "565571-0" - }, - "device": { - "internal_ip": "10.10.156.12", - "external_ip": "67.43.156.12", - "os": "WINDOWS" - } - } - }, - "host": { - "hostname": "Carbonblack-win1", - "os": { - "type": "windows" - }, - "ip": [ - "10.10.156.12", - "67.43.156.12" - ], - "id": "4467271" - }, - "event": { - "kind": "event", - "severity": 3, - "agent_id_status": "verified", - "ingested": "2022-02-17T07:23:31Z", - "original": "{\"schema\":1,\"create_time\":\"2022-02-10T23:54:32.449Z\",\"device_external_ip\":\"205.234.30.196\",\"device_id\":4467271,\"device_internal_ip\":\"10.33.4.214\",\"device_name\":\"Carbonblack-win1\",\"device_os\":\"WINDOWS\",\"ioc_hit\":\"((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true\",\"ioc_id\":\"565571-0\",\"org_key\":\"7DESJ9GN\",\"parent_cmdline\":\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"sc query aella_conf | findstr RUNNING \\u003e null\\\"\",\"parent_guid\":\"7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1\",\"parent_hash\":[\"d0fce3afa6aa1d58ce9fa336cc2b675b\",\"4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22\"],\"parent_path\":\"c:\\\\windows\\\\syswow64\\\\cmd.exe\",\"parent_pid\":4076,\"parent_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"parent_reputation\":\"REP_WHITE\",\"parent_username\":\"NT AUTHORITY\\\\SYSTEM\",\"process_cmdline\":\"sc query aella_conf \",\"process_guid\":\"7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6\",\"process_hash\":[\"d9d7684b8431a0d10d0e76fe9f5ffec8\",\"4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2\"],\"process_path\":\"c:\\\\windows\\\\syswow64\\\\sc.exe\",\"process_pid\":7516,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_reputation\":\"REP_WHITE\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"report_id\":\"CFnKBKLTv6hUkBGFobRdg-565571\",\"report_name\":\"Discovery - System Service Discovery Detected\",\"report_tags\":[\"attack\",\"attackframework\",\"threathunting\",\"hunting\",\"t1007\",\"recon\",\"discovery\",\"windows\"],\"severity\":3,\"type\":\"watchlist.hit\",\"watchlists\":[{\"id\":\"P5f9AW29TGmTOvBW156Cig\",\"name\":\"ATT\\u0026CK Framework\"}]}", - "dataset": "carbon_black_cloud.watchlist_hit" - } -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/docs/README.md b/packages/carbon_black_cloud/1.0.2/docs/README.md deleted file mode 100755 index b07163713d..0000000000 --- a/packages/carbon_black_cloud/1.0.2/docs/README.md +++ /dev/null @@ -1,1042 +0,0 @@ -# VMware Carbon Black Cloud - -The VMware Carbon Black Cloud integration collects and parses data from the Carbon Black Cloud REST APIs and AWS S3 bucket. - -## Compatibility - -This module has been tested against `Alerts API (v6)`, `Audit Log Events (v3)` and `Vulnerability Assessment (v1)`. - -## Requirements - -### In order to ingest data from the AWS S3 bucket you must: -1. Configure the [Data Forwarder](https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/services/carbon-black-cloud-user-guide/GUID-F68F63DD-2271-4088-82C9-71D675CD0535.html) to ingest data into an AWS S3 bucket. -2. Create an [AWS Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - - -### In order to ingest data from the APIs you must generate API keys and API Secret Keys: -1. In Carbon Black Cloud, On the left navigation pane, click **Settings > API Access**. -2. Click Add API Key. -3. Give the API key a unique name and description. - - Select the appropriate access level type. Please check required Access Levels & Permissions for integration in below table. - **Note:** To use a custom access level, select Custom from the Access Level type drop-down menu and specify the Custom Access Level. - - Optional: Add authorized IP addresses. - - You can restrict the use of an API key to a specific set of IP addresses for security reasons. - **Note:** Authorized IP addresses are not available with Custom keys. -4. To apply the changes, click Save. - -#### Access Levels & Permissions -- The following tables indicate which type of API Key access level is required. If the type is Custom then the permission that is required will also be included. - -| Data stream | Access Level and Permissions | -| --------------------------- | ------------------------------------------ | -| Audit | API | -| Alert | Custom orgs.alerts (Read) | -| Asset Vulnerability Summary | Custom vulnerabilityAssessment.data (Read) | - - -## Note - -- The alert data stream has a 15-minute delay to ensure that no occurrences are missed. - -## Logs - -### Audit - -This is the `audit` dataset. - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2022-02-10T16:04:30.263Z", - "agent": { - "ephemeral_id": "6472e86c-fc7c-478a-a6fd-12ed19fe05c9", - "hostname": "docker-fleet-agent", - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "carbon_black_cloud": { - "audit": { - "flagged": false, - "verbose": false - } - }, - "client": { - "ip": "10.10.10.10", - "user": { - "id": "abc@demo.com" - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-04-14T11:48:30.094Z", - "dataset": "carbon_black_cloud.audit", - "id": "2122f8ce8xxxxxxxxxxxxx", - "ingested": "2022-04-14T11:48:31Z", - "kind": "event", - "original": "{\"clientIp\":\"10.10.10.10\",\"description\":\"Logged in successfully\",\"eventId\":\"2122f8ce8xxxxxxxxxxxxx\",\"eventTime\":1644509070263,\"flagged\":false,\"loginName\":\"abc@demo.com\",\"orgName\":\"cb-xxxx-xxxx.com\",\"requestUrl\":null,\"verbose\":false}", - "outcome": "success", - "reason": "Logged in successfully" - }, - "input": { - "type": "httpjson" - }, - "organization": { - "name": "cb-xxxx-xxxx.com" - }, - "related": { - "ip": [ - "10.10.10.10" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-audit" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.audit.flagged | true if action is failed otherwise false. | boolean | -| carbon_black_cloud.audit.verbose | true if verbose audit log otherwise false. | boolean | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| organization.name | Organization name. | keyword | -| organization.name.text | Multi-field of `organization.name`. | match_only_text | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | - - -### Alert - -This is the `alert` dataset. - -An example event for `alert` looks as following: - -```json -{ - "@timestamp": "2020-11-17T22:05:13.000Z", - "agent": { - "ephemeral_id": "56053d91-103c-4c77-8f15-0a1006a80102", - "hostname": "docker-fleet-agent", - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "carbon_black_cloud": { - "alert": { - "category": "warning", - "device": { - "external_ip": "81.2.69.143", - "internal_ip": "81.2.69.144", - "location": "UNKNOWN", - "os": "WINDOWS" - }, - "last_update_time": "2020-11-17T22:05:13Z", - "legacy_alert_id": "C8EB7306-AF26-4A9A-B677-814B3AF69720", - "organization_key": "ABCD6X3T", - "policy": { - "applied": "APPLIED", - "id": 6997287, - "name": "Standard" - }, - "product_id": "0x5406", - "product_name": "U3 Cruzer Micro", - "reason_code": "6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC", - "run_state": "DID_NOT_RUN", - "sensor_action": "DENY", - "serial_number": "0875920EF7C2A304", - "target_value": "MEDIUM", - "threat_cause": { - "cause_event_id": "FCEE2AF0-D832-4C9F-B988-F11B46028C9E", - "threat_category": "NON_MALWARE", - "vector": "REMOVABLE_MEDIA" - }, - "threat_id": "t5678", - "type": "DEVICE_CONTROL", - "vendor_id": "0x0781", - "vendor_name": "SanDisk", - "workflow": { - "changed_by": "Carbon Black", - "last_update_time": "2020-11-17T22:02:16Z", - "state": "OPEN" - } - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.alert", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-04-14T11:46:13.154Z", - "dataset": "carbon_black_cloud.alert", - "end": "2020-11-17T22:02:16Z", - "id": "test1", - "ingested": "2022-04-14T11:46:14Z", - "kind": "alert", - "original": "{\"alert_url\":\"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976\",\"category\":\"WARNING\",\"create_time\":\"2020-11-17T22:05:13Z\",\"device_external_ip\":\"81.2.69.143\",\"device_id\":2,\"device_internal_ip\":\"81.2.69.144\",\"device_location\":\"UNKNOWN\",\"device_name\":\"DESKTOP-002\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_username\":\"test34@demo.com\",\"first_event_time\":\"2020-11-17T22:02:16Z\",\"id\":\"test1\",\"last_event_time\":\"2020-11-17T22:02:16Z\",\"last_update_time\":\"2020-11-17T22:05:13Z\",\"legacy_alert_id\":\"C8EB7306-AF26-4A9A-B677-814B3AF69720\",\"org_key\":\"ABCD6X3T\",\"policy_applied\":\"APPLIED\",\"policy_id\":6997287,\"policy_name\":\"Standard\",\"product_id\":\"0x5406\",\"product_name\":\"U3 Cruzer Micro\",\"reason\":\"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.\",\"reason_code\":\"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC\",\"run_state\":\"DID_NOT_RUN\",\"sensor_action\":\"DENY\",\"serial_number\":\"0875920EF7C2A304\",\"severity\":3,\"target_value\":\"MEDIUM\",\"threat_cause_cause_event_id\":\"FCEE2AF0-D832-4C9F-B988-F11B46028C9E\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"REMOVABLE_MEDIA\",\"threat_id\":\"t5678\",\"type\":\"DEVICE_CONTROL\",\"vendor_id\":\"0x0781\",\"vendor_name\":\"SanDisk\",\"workflow\":{\"changed_by\":\"Carbon Black\",\"comment\":\"\",\"last_update_time\":\"2020-11-17T22:02:16Z\",\"remediation\":\"\",\"state\":\"OPEN\"}}", - "reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.", - "severity": 3, - "start": "2020-11-17T22:02:16Z", - "url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976" - }, - "host": { - "hostname": "DESKTOP-002", - "id": "2", - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], - "name": "DESKTOP-002", - "os": { - "type": "windows", - "version": "Windows 10 x64" - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "hosts": [ - "DESKTOP-002" - ], - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], - "user": [ - "test34@demo.com" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-alert" - ], - "user": { - "name": "test34@demo.com" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.alert.blocked_threat_category | The category of threat which we were able to take action on. | keyword | -| carbon_black_cloud.alert.category | The category of the alert. | keyword | -| carbon_black_cloud.alert.count | | long | -| carbon_black_cloud.alert.created_by_event_id | Event identifier that initiated the alert. | keyword | -| carbon_black_cloud.alert.device.external_ip | External IP of the device. | ip | -| carbon_black_cloud.alert.device.internal_ip | Internal IP of the device. | ip | -| carbon_black_cloud.alert.device.location | The Location of device. | keyword | -| carbon_black_cloud.alert.device.os | OS of the device. | keyword | -| carbon_black_cloud.alert.document_guid | Unique ID of document. | keyword | -| carbon_black_cloud.alert.ioc.field | The field the indicator of comprise (IOC) hit contains. | keyword | -| carbon_black_cloud.alert.ioc.hit | IOC field value or IOC query that matches. | keyword | -| carbon_black_cloud.alert.ioc.id | The identifier of the IOC that cause the hit. | keyword | -| carbon_black_cloud.alert.kill_chain_status | The stage within the Cyber Kill Chain sequence most closely associated with the attributes of the alert. | keyword | -| carbon_black_cloud.alert.last_update_time | The last time the alert was updated as an ISO 8601 UTC timestamp. | date | -| carbon_black_cloud.alert.legacy_alert_id | The legacy identifier for the alert. | keyword | -| carbon_black_cloud.alert.not_blocked_threat_category | Other potentially malicious activity involved in the threat that we weren't able to take action on (either due to policy config, or not having a relevant rule). | keyword | -| carbon_black_cloud.alert.notes_present | Indicates if notes are associated with the threat_id. | boolean | -| carbon_black_cloud.alert.organization_key | The unique identifier for the organization associated with the alert. | keyword | -| carbon_black_cloud.alert.policy.applied | Whether a policy was applied. | keyword | -| carbon_black_cloud.alert.policy.id | The identifier for the policy associated with the device at the time of the alert. | long | -| carbon_black_cloud.alert.policy.name | The name of the policy associated with the device at the time of the alert. | keyword | -| carbon_black_cloud.alert.product_id | The hexadecimal id of the USB device's product. | keyword | -| carbon_black_cloud.alert.product_name | The name of the USB device’s vendor. | keyword | -| carbon_black_cloud.alert.reason_code | Shorthand enum for the full-text reason. | keyword | -| carbon_black_cloud.alert.report.id | The identifier of the report that contains the IOC. | keyword | -| carbon_black_cloud.alert.report.name | The name of the report that contains the IOC. | keyword | -| carbon_black_cloud.alert.run_state | Whether the threat in the alert ran. | keyword | -| carbon_black_cloud.alert.sensor_action | The action taken by the sensor, according to the rule of the policy. | keyword | -| carbon_black_cloud.alert.serial_number | The serial number of the USB device. | keyword | -| carbon_black_cloud.alert.status | status of alert. | keyword | -| carbon_black_cloud.alert.tags | Tags associated with the alert. | keyword | -| carbon_black_cloud.alert.target_value | The priority of the device assigned by the policy. | keyword | -| carbon_black_cloud.alert.threat_activity.c2 | Whether the alert involved a command and control (c2) server. | keyword | -| carbon_black_cloud.alert.threat_activity.dlp | Whether the alert involved data loss prevention (DLP). | keyword | -| carbon_black_cloud.alert.threat_activity.phish | Whether the alert involved phishing. | keyword | -| carbon_black_cloud.alert.threat_cause.actor.md5 | MD5 of the threat cause actor. | keyword | -| carbon_black_cloud.alert.threat_cause.actor.name | The name can be one of the following: process commandline, process name, or analytic matched threat. Analytic matched threats are Exploit, Malware, PUP, or Trojan. | keyword | -| carbon_black_cloud.alert.threat_cause.actor.process_pid | Process identifier (PID) of the actor process. | keyword | -| carbon_black_cloud.alert.threat_cause.actor.sha256 | SHA256 of the threat cause actor. | keyword | -| carbon_black_cloud.alert.threat_cause.cause_event_id | ID of the Event that triggered the threat. | keyword | -| carbon_black_cloud.alert.threat_cause.process.guid | The global unique identifier of the process. | keyword | -| carbon_black_cloud.alert.threat_cause.process.parent.guid | The global unique identifier of the process. | keyword | -| carbon_black_cloud.alert.threat_cause.reputation | Reputation of the threat cause. | keyword | -| carbon_black_cloud.alert.threat_cause.threat_category | Category of the threat cause. | keyword | -| carbon_black_cloud.alert.threat_cause.vector | The source of the threat cause. | keyword | -| carbon_black_cloud.alert.threat_id | The identifier of a threat which this alert belongs. Threats are comprised of a combination of factors that can be repeated across devices. | keyword | -| carbon_black_cloud.alert.threat_indicators.process_name | Process name associated with threat. | keyword | -| carbon_black_cloud.alert.threat_indicators.sha256 | Sha256 associated with threat. | keyword | -| carbon_black_cloud.alert.threat_indicators.ttps | Tactics, techniques and procedures associated with threat. | keyword | -| carbon_black_cloud.alert.type | Type of alert. | keyword | -| carbon_black_cloud.alert.vendor_id | The hexadecimal id of the USB device's vendor. | keyword | -| carbon_black_cloud.alert.vendor_name | The name of the USB device’s vendor. | keyword | -| carbon_black_cloud.alert.watchlists.id | The identifier of watchlist. | keyword | -| carbon_black_cloud.alert.watchlists.name | The name of the watchlist. | keyword | -| carbon_black_cloud.alert.workflow.changed_by | The name of user who changed the workflow. | keyword | -| carbon_black_cloud.alert.workflow.comment | Comment associated with workflow. | keyword | -| carbon_black_cloud.alert.workflow.last_update_time | The last update time of workflow. | date | -| carbon_black_cloud.alert.workflow.remediation | N/A | keyword | -| carbon_black_cloud.alert.workflow.state | The state of workflow. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset. | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -### Endpoint Event - -This is the `endpoint_event` dataset. - -An example event for `endpoint_event` looks as following: - -```json -{ - "process": { - "parent": { - "pid": 1684, - "entity_id": "XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62", - "command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\GuestAgent\\WindowsAzureGuestAgent.exe", - "executable": "c:\\windowsazure\\guestagent_2.7.41491.1010_2021-05-11_233023\\guestagent\\windowsazureguestagent.exe", - "hash": { - "sha256": "44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5", - "md5": "03dd698da2671383c9b4f868c9931879" - } - }, - "pid": 4880, - "entity_id": "XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37", - "command_line": "\"route.exe\" print", - "executable": "c:\\windows\\system32\\route.exe", - "hash": { - "sha256": "9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6", - "md5": "2498272dc48446891182747428d02a30" - } - }, - "ecs": { - "version": "8.0.0" - }, - "carbon_black_cloud": { - "endpoint_event": { - "schema": 1, - "event_origin": "EDR", - "process": { - "duration": 2, - "parent": { - "reputation": "REP_RESOLVING" - }, - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_RESOLVING", - "terminated": true, - "username": "NT AUTHORITY\\SYSTEM" - }, - "organization_key": "XXXXXXXX", - "backend": { - "timestamp": "2022-02-10 11:52:50 +0000 UTC" - }, - "target_cmdline": "\"route.exe\" print", - "type": "endpoint.event.procend", - "device": { - "os": "WINDOWS", - "timestamp": "2022-02-10 11:51:35.0684097 +0000 UTC", - "external_ip": "67.43.156.12" - }, - "sensor_action": "ACTION_ALLOW" - } - }, - "host": { - "hostname": "client-cb2", - "id": "4034605", - "os": { - "type": "windows" - }, - "ip": [ - "67.43.156.13" - ] - }, - "event": { - "action": "ACTION_PROCESS_TERMINATE", - "orignal": "{\"type\":\"endpoint.event.procend\",\"process_guid\":\"XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37\",\"parent_guid\":\"XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62\",\"backend_timestamp\":\"2022-02-10 11:52:50 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"4034605\",\"device_name\":\"client-cb2\",\"device_external_ip\":\"67.43.156.13\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_PROCESS_TERMINATE\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:51:35.0684097 +0000 UTC\",\"process_terminated\":true,\"process_duration\":2,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":4880,\"parent_pid\":1684,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_path\":\"c:\\\\windows\\\\system32\\\\route.exe\",\"parent_path\":\"c:\\\\windowsazure\\\\guestagent_2.7.41491.1010_2021-05-11_233023\\\\guestagent\\\\windowsazureguestagent.exe\",\"process_hash\":[\"2498272dc48446891182747428d02a30\",\"9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6\"],\"parent_hash\":[\"03dd698da2671383c9b4f868c9931879\",\"44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5\"],\"process_cmdline\":\"\\\"route.exe\\\" print\",\"parent_cmdline\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\\\GuestAgent\\\\WindowsAzureGuestAgent.exe\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"target_cmdline\":\"\\\"route.exe\\\" print\"}" - }, - "data_stream": { - "dataset": "carbon_black_cloud.endpoint_event", - "namespace": "ep", - "type": "logs" - }, - "elastic_agent": { - "id": "3b20ea47-9610-412d-97e3-47cd19b7e4d5", - "snapshot": true, - "version": "8.0.0" - }, - "input": { - "type": "aws-s3" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-endpoint-event" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.endpoint_event.alert_id | The ID of the Alert this event is associated with. | keyword | -| carbon_black_cloud.endpoint_event.backend.timestamp | Time when the backend received the batch of events. | keyword | -| carbon_black_cloud.endpoint_event.childproc.guid | Unique ID of the child process. | keyword | -| carbon_black_cloud.endpoint_event.childproc.hash.md5 | Cryptographic MD5 hashes of the executable file backing the child process. | keyword | -| carbon_black_cloud.endpoint_event.childproc.hash.sha256 | Cryptographic SHA256 hashes of the executable file backing the child process. | keyword | -| carbon_black_cloud.endpoint_event.childproc.name | Full path to the target of the crossproc event on the device's local file system. | keyword | -| carbon_black_cloud.endpoint_event.childproc.pid | OS-reported Process ID of the child process. | long | -| carbon_black_cloud.endpoint_event.childproc.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.childproc.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.childproc.reputation | Carbon Black Cloud Reputation string for the childproc. | keyword | -| carbon_black_cloud.endpoint_event.childproc.username | The username associated with the user context that the child process was started under. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.action | The action taken on cross-process. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.api | Name of the operating system API called by the actor process. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.guid | Unique ID of the cross process. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.hash.md5 | Cryptographic MD5 hashes of the target of the crossproc event. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.hash.sha256 | Cryptographic SHA256 hashes of the target of the crossproc event. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.name | Full path to the target of the crossproc event on the device's local file system. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.reputation | Carbon Black Cloud Reputation string for the crossproc. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.target | True if the process was the target of the cross-process event; false if the process was the actor. | boolean | -| carbon_black_cloud.endpoint_event.device.external_ip | External IP of the device. | ip | -| carbon_black_cloud.endpoint_event.device.internal_ip | Internal IP of the device. | ip | -| carbon_black_cloud.endpoint_event.device.os | Os name. | keyword | -| carbon_black_cloud.endpoint_event.device.timestamp | Time seen on sensor. | keyword | -| carbon_black_cloud.endpoint_event.event_origin | Indicates which product the event came from. "EDR" indicates the event originated from Enterprise EDR. "NGAV" indicates the event originated from Endpoint Standard. | keyword | -| carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline | Deobfuscated script content run in a fileless context by the process. | keyword | -| carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline_length | Character count of the deobfuscated script content run in a fileless context. | keyword | -| carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5 | MD5 hash of the deobfuscated script content run by the process in a fileless context. | keyword | -| carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256 | SHA-256 hash of the deobfuscated script content run by the process in a fileless context. | keyword | -| carbon_black_cloud.endpoint_event.modload.count | Count of modload events reported by the sensor since last initialization. | long | -| carbon_black_cloud.endpoint_event.modload.effective_reputation | Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred. | keyword | -| carbon_black_cloud.endpoint_event.modload.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.modload.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.netconn.proxy.domain | DNS name associated with the "proxy" end of this network connection; may be empty if the name cannot be inferred or the connection is made direct to/from a proxy IP address. | keyword | -| carbon_black_cloud.endpoint_event.netconn.proxy.ip | IPv4 or IPv6 address in string format associated with the "proxy" end of this network connection. | keyword | -| carbon_black_cloud.endpoint_event.netconn.proxy.port | UDP/TCP port number associated with the "proxy" end of this network connection. | keyword | -| carbon_black_cloud.endpoint_event.organization_key | The organization key associated with the console instance. | keyword | -| carbon_black_cloud.endpoint_event.process.duration | The time difference in seconds between the process start and process terminate event. | long | -| carbon_black_cloud.endpoint_event.process.parent.reputation | Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | -| carbon_black_cloud.endpoint_event.process.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.process.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.process.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | -| carbon_black_cloud.endpoint_event.process.terminated | True if process was terminated elase false. | boolean | -| carbon_black_cloud.endpoint_event.process.username | The username associated with the user context that this process was started under. | keyword | -| carbon_black_cloud.endpoint_event.schema | The schema version. The current schema version is "1". This schema version will only be incremented if the field definitions are changed in a backwards-incompatible way. | long | -| carbon_black_cloud.endpoint_event.scriptload.count | Count of scriptload events across all processes reported by the sensor since last initialization. | long | -| carbon_black_cloud.endpoint_event.scriptload.effective_reputation | Effective reputation(s) of the script file(s) loaded at process launch; applied by the sensor when the event occurred. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.hash.md5 | Cryptographic MD5 hashes of the target of the scriptload event. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.hash.sha256 | Cryptographic SHA256 hashes of the target of the scriptload event. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.name | Full path to the target of the crossproc event on the device's local file system. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.reputation | Carbon Black Cloud Reputation string for the scriptload. | keyword | -| carbon_black_cloud.endpoint_event.sensor_action | The sensor action taken on event. | keyword | -| carbon_black_cloud.endpoint_event.target_cmdline | Process command line associated with the target process. | keyword | -| carbon_black_cloud.endpoint_event.type | The event type. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dll.hash.md5 | MD5 hash. | keyword | -| dll.hash.sha256 | SHA256 hash. | keyword | -| dll.path | Full file path of the library. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.pid | Process id. | long | -| process.pid | Process id. | long | -| registry.path | Full path, including hive, key and value | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | - - -### Watchlist Hit - -This is the `watchlist_hit` dataset. - -An example event for `watchlist_hit` looks as following: - -```json -{ - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-watchlist-hit" - ], - "input": { - "type": "aws-s3" - }, - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "carbon_black_cloud.watchlist_hit" - }, - "agent": { - "id": "e0d5f508-9616-400f-b26b-bb1aa6638b80", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "process": { - "parent": { - "pid": 4076, - "entity_id": "7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1", - "command_line": "C:\\WINDOWS\\system32\\cmd.exe /c \"sc query aella_conf | findstr RUNNING \u003e null\"", - "executable": "c:\\windows\\syswow64\\cmd.exe", - "hash": { - "sha256": "4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22", - "md5": "d0fce3afa6aa1d58ce9fa336cc2b675b" - } - }, - "pid": 7516, - "entity_id": "7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6", - "command_line": "sc query aella_conf ", - "executable": "c:\\windows\\syswow64\\sc.exe", - "hash": { - "sha256": "4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2", - "md5": "d9d7684b8431a0d10d0e76fe9f5ffec8" - } - }, - "carbon_black_cloud": { - "watchlist_hit": { - "schema": 1, - "process": { - "parent": { - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_WHITE", - "username": "NT AUTHORITY\\SYSTEM" - }, - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_WHITE", - "username": "NT AUTHORITY\\SYSTEM" - }, - "organization_key": "xxxxxxxx", - "report": { - "name": "Discovery - System Service Discovery Detected", - "id": "CFnKBKLTv6hUkBGFobRdg-565571", - "tags": [ - "attack", - "attackframework", - "threathunting", - "hunting", - "t1007", - "recon", - "discovery", - "windows" - ] - }, - "watchlists": [ - { - "name": "ATT\u0026CK Framework", - "id": "P5f9AW29TGmTOvBW156Cig" - } - ], - "type": "watchlist.hit", - "ioc": { - "hit": "((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true", - "id": "565571-0" - }, - "device": { - "internal_ip": "10.10.156.12", - "external_ip": "67.43.156.12", - "os": "WINDOWS" - } - } - }, - "host": { - "hostname": "Carbonblack-win1", - "os": { - "type": "windows" - }, - "ip": [ - "10.10.156.12", - "67.43.156.12" - ], - "id": "4467271" - }, - "event": { - "kind": "event", - "severity": 3, - "agent_id_status": "verified", - "ingested": "2022-02-17T07:23:31Z", - "original": "{\"schema\":1,\"create_time\":\"2022-02-10T23:54:32.449Z\",\"device_external_ip\":\"205.234.30.196\",\"device_id\":4467271,\"device_internal_ip\":\"10.33.4.214\",\"device_name\":\"Carbonblack-win1\",\"device_os\":\"WINDOWS\",\"ioc_hit\":\"((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true\",\"ioc_id\":\"565571-0\",\"org_key\":\"7DESJ9GN\",\"parent_cmdline\":\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"sc query aella_conf | findstr RUNNING \\u003e null\\\"\",\"parent_guid\":\"7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1\",\"parent_hash\":[\"d0fce3afa6aa1d58ce9fa336cc2b675b\",\"4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22\"],\"parent_path\":\"c:\\\\windows\\\\syswow64\\\\cmd.exe\",\"parent_pid\":4076,\"parent_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"parent_reputation\":\"REP_WHITE\",\"parent_username\":\"NT AUTHORITY\\\\SYSTEM\",\"process_cmdline\":\"sc query aella_conf \",\"process_guid\":\"7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6\",\"process_hash\":[\"d9d7684b8431a0d10d0e76fe9f5ffec8\",\"4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2\"],\"process_path\":\"c:\\\\windows\\\\syswow64\\\\sc.exe\",\"process_pid\":7516,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_reputation\":\"REP_WHITE\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"report_id\":\"CFnKBKLTv6hUkBGFobRdg-565571\",\"report_name\":\"Discovery - System Service Discovery Detected\",\"report_tags\":[\"attack\",\"attackframework\",\"threathunting\",\"hunting\",\"t1007\",\"recon\",\"discovery\",\"windows\"],\"severity\":3,\"type\":\"watchlist.hit\",\"watchlists\":[{\"id\":\"P5f9AW29TGmTOvBW156Cig\",\"name\":\"ATT\\u0026CK Framework\"}]}", - "dataset": "carbon_black_cloud.watchlist_hit" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.watchlist_hit.device.external_ip | External IP of the device. | ip | -| carbon_black_cloud.watchlist_hit.device.internal_ip | Internal IP of the device. | ip | -| carbon_black_cloud.watchlist_hit.device.os | OS Type of device (Windows/OSX/Linux). | keyword | -| carbon_black_cloud.watchlist_hit.ioc.field | Field the IOC hit contains. | keyword | -| carbon_black_cloud.watchlist_hit.ioc.hit | IOC field value, or IOC query that matches. | keyword | -| carbon_black_cloud.watchlist_hit.ioc.id | ID of the IOC that caused the hit. | keyword | -| carbon_black_cloud.watchlist_hit.organization_key | The organization key associated with the console instance. | keyword | -| carbon_black_cloud.watchlist_hit.process.parent.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.watchlist_hit.process.parent.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.watchlist_hit.process.parent.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | -| carbon_black_cloud.watchlist_hit.process.parent.username | The username associated with the user context that this process was started under. | keyword | -| carbon_black_cloud.watchlist_hit.process.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | -| carbon_black_cloud.watchlist_hit.process.username | The username associated with the user context that this process was started under. | keyword | -| carbon_black_cloud.watchlist_hit.report.id | ID of the watchlist report(s) that detected a hit on the process. | keyword | -| carbon_black_cloud.watchlist_hit.report.name | Name of the watchlist report(s) that detected a hit on the process. | keyword | -| carbon_black_cloud.watchlist_hit.report.tags | List of tags associated with the report(s) that detected a hit on the process. | keyword | -| carbon_black_cloud.watchlist_hit.schema | Schema version. | long | -| carbon_black_cloud.watchlist_hit.type | The watchlist hit type. | keyword | -| carbon_black_cloud.watchlist_hit.watchlists.id | The ID of the watchlists. | keyword | -| carbon_black_cloud.watchlist_hit.watchlists.name | The name of the watchlists. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.pid | Process id. | long | -| process.pid | Process id. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | - - -### Asset Vulnerability Summary - -This is the `asset_vulnerability_summary` dataset. - -An example event for `asset_vulnerability_summary` looks as following: - -```json -{ - "@timestamp": "2022-04-14T11:47:25.371Z", - "agent": { - "ephemeral_id": "377d9292-c7d0-4c30-bbee-faf4848d30d8", - "hostname": "docker-fleet-agent", - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "carbon_black_cloud": { - "asset_vulnerability_summary": { - "last_sync": { - "timestamp": "2022-01-17T08:33:37.384Z" - }, - "os_info": { - "os_arch": "64-bit" - }, - "sync": { - "status": "COMPLETED", - "type": "SCHEDULED" - }, - "type": "ENDPOINT", - "vuln_count": 1770 - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.asset_vulnerability_summary", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-04-14T11:47:25.371Z", - "dataset": "carbon_black_cloud.asset_vulnerability_summary", - "ingested": "2022-04-14T11:47:26Z", - "original": "{\"cve_ids\":null,\"device_id\":8,\"highest_risk_score\":10,\"host_name\":\"DESKTOP-008\",\"last_sync_ts\":\"2022-01-17T08:33:37.384932Z\",\"name\":\"DESKTOP-008KK\",\"os_info\":{\"os_arch\":\"64-bit\",\"os_name\":\"Microsoft Windows 10 Education\",\"os_type\":\"WINDOWS\",\"os_version\":\"10.0.17763\"},\"severity\":\"CRITICAL\",\"sync_status\":\"COMPLETED\",\"sync_type\":\"SCHEDULED\",\"type\":\"ENDPOINT\",\"vm_id\":\"\",\"vm_name\":\"\",\"vuln_count\":1770}" - }, - "host": { - "hostname": "DESKTOP-008", - "id": "8", - "name": "DESKTOP-008KK", - "os": { - "name": "Microsoft Windows 10 Education", - "type": "windows", - "version": "10.0.17763" - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "hosts": [ - "DESKTOP-008" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-asset-vulnerability-summary" - ], - "vulnerability": { - "score": { - "base": 10 - }, - "severity": "CRITICAL" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.asset_vulnerability_summary.last_sync.timestamp | The identifier is for the Last sync time. | date | -| carbon_black_cloud.asset_vulnerability_summary.os_info.os_arch | The identifier is for the Operating system architecture. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.sync.status | The identifier is for the Device sync status. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.sync.type | The identifier is for the Whether a manual sync was triggered for the device, or if it was a scheduled sync. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.type | The identifier is for the Device type. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.vm.id | The identifier is for the Virtual Machine ID. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.vm.name | The identifier is for the Virtual Machine name. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.vuln_count | The identifier is for the Number of vulnerabilities at this level. | integer | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float | -| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | diff --git a/packages/carbon_black_cloud/1.0.2/img/carbon_black_cloud-logo.svg b/packages/carbon_black_cloud/1.0.2/img/carbon_black_cloud-logo.svg deleted file mode 100755 index 180cc3d212..0000000000 --- a/packages/carbon_black_cloud/1.0.2/img/carbon_black_cloud-logo.svg +++ /dev/null @@ -1,91 +0,0 @@ - - - - -Created by potrace 1.16, written by Peter Selinger 2001-2019 - - - - - - - - - - - - - - - - - - - - - diff --git a/packages/carbon_black_cloud/1.0.2/img/carbon_black_cloud-screenshot.png b/packages/carbon_black_cloud/1.0.2/img/carbon_black_cloud-screenshot.png deleted file mode 100755 index 6fda3c108d..0000000000 Binary files a/packages/carbon_black_cloud/1.0.2/img/carbon_black_cloud-screenshot.png and /dev/null differ diff --git a/packages/carbon_black_cloud/1.0.2/kibana/dashboard/carbon_black_cloud-7e095a40-e325-11ec-8642-e7f3d8b25a9b.json b/packages/carbon_black_cloud/1.0.2/kibana/dashboard/carbon_black_cloud-7e095a40-e325-11ec-8642-e7f3d8b25a9b.json deleted file mode 100755 index 4879b5460d..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/dashboard/carbon_black_cloud-7e095a40-e325-11ec-8642-e7f3d8b25a9b.json +++ /dev/null @@ -1,158 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c54d9223-56ad-42b4-9452-a44657dbcd6e\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"c54d9223-56ad-42b4-9452-a44657dbcd6e\",\"panelRefName\":\"panel_c54d9223-56ad-42b4-9452-a44657dbcd6e\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d3728fd5-5390-4448-8f26-277521569f30\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"d3728fd5-5390-4448-8f26-277521569f30\",\"panelRefName\":\"panel_d3728fd5-5390-4448-8f26-277521569f30\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c\",\"panelRefName\":\"panel_f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5f57acd4-74a8-4d97-9e7b-d7b069efc867\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"5f57acd4-74a8-4d97-9e7b-d7b069efc867\",\"panelRefName\":\"panel_5f57acd4-74a8-4d97-9e7b-d7b069efc867\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"909c2914-4695-42dd-aa36-93e043a5c025\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"909c2914-4695-42dd-aa36-93e043a5c025\",\"panelRefName\":\"panel_909c2914-4695-42dd-aa36-93e043a5c025\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5\",\"panelRefName\":\"panel_c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9e320d15-f9df-4aea-9564-ac1c4257b51b\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"9e320d15-f9df-4aea-9564-ac1c4257b51b\",\"panelRefName\":\"panel_9e320d15-f9df-4aea-9564-ac1c4257b51b\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c\",\"panelRefName\":\"panel_5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7da33ed3-29d9-4fe1-87a9-4debfc7bdd24\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"7da33ed3-29d9-4fe1-87a9-4debfc7bdd24\",\"panelRefName\":\"panel_7da33ed3-29d9-4fe1-87a9-4debfc7bdd24\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ed2de824-c493-4240-a6b5-329889c40c43\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"ed2de824-c493-4240-a6b5-329889c40c43\",\"panelRefName\":\"panel_ed2de824-c493-4240-a6b5-329889c40c43\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a6d4e61e-57bc-413a-8c68-5f55ab59e16a\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"a6d4e61e-57bc-413a-8c68-5f55ab59e16a\",\"panelRefName\":\"panel_a6d4e61e-57bc-413a-8c68-5f55ab59e16a\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bf749130-3138-45fe-a010-5b30b4636e7b\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"bf749130-3138-45fe-a010-5b30b4636e7b\",\"panelRefName\":\"panel_bf749130-3138-45fe-a010-5b30b4636e7b\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"44ed553e-d5cc-4841-85e9-0d8af122086a\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"44ed553e-d5cc-4841-85e9-0d8af122086a\",\"panelRefName\":\"panel_44ed553e-d5cc-4841-85e9-0d8af122086a\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"cd3cb74e-b13e-4a52-a48c-82d13a59421a\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"cd3cb74e-b13e-4a52-a48c-82d13a59421a\",\"panelRefName\":\"panel_cd3cb74e-b13e-4a52-a48c-82d13a59421a\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"42b64f1c-9526-4430-8f62-cc6596cf07d7\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"42b64f1c-9526-4430-8f62-cc6596cf07d7\",\"panelRefName\":\"panel_42b64f1c-9526-4430-8f62-cc6596cf07d7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b2fe20be-cad5-4bfa-abd1-c9b069fd2494\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"b2fe20be-cad5-4bfa-abd1-c9b069fd2494\",\"panelRefName\":\"panel_b2fe20be-cad5-4bfa-abd1-c9b069fd2494\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ef6af3c0-10e9-46af-933c-a032464bdecf\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"ef6af3c0-10e9-46af-933c-a032464bdecf\",\"panelRefName\":\"panel_ef6af3c0-10e9-46af-933c-a032464bdecf\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc\",\"panelRefName\":\"panel_f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"247ad399-6383-4bf0-910e-9cb6767781c3\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"247ad399-6383-4bf0-910e-9cb6767781c3\",\"panelRefName\":\"panel_247ad399-6383-4bf0-910e-9cb6767781c3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5c60fc1b-5ad1-4036-8adc-ce9adf455758\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"5c60fc1b-5ad1-4036-8adc-ce9adf455758\",\"panelRefName\":\"panel_5c60fc1b-5ad1-4036-8adc-ce9adf455758\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"0a228399-6f69-4803-b4cd-65f30dca5890\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"0a228399-6f69-4803-b4cd-65f30dca5890\",\"panelRefName\":\"panel_0a228399-6f69-4803-b4cd-65f30dca5890\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5b015940-3fee-411a-be82-661078ead366\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"5b015940-3fee-411a-be82-661078ead366\",\"panelRefName\":\"panel_5b015940-3fee-411a-be82-661078ead366\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"655bc1d2-5c31-4a38-9759-ab72f88bdb92\",\"w\":24,\"x\":24,\"y\":150},\"panelIndex\":\"655bc1d2-5c31-4a38-9759-ab72f88bdb92\",\"panelRefName\":\"panel_655bc1d2-5c31-4a38-9759-ab72f88bdb92\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8cdf7cdc-1858-4561-9e3b-5b5c73498586\",\"w\":24,\"x\":0,\"y\":165},\"panelIndex\":\"8cdf7cdc-1858-4561-9e3b-5b5c73498586\",\"panelRefName\":\"panel_8cdf7cdc-1858-4561-9e3b-5b5c73498586\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2d6c60e3-32cc-4746-bc7d-3fa40b80447c\",\"w\":24,\"x\":24,\"y\":165},\"panelIndex\":\"2d6c60e3-32cc-4746-bc7d-3fa40b80447c\",\"panelRefName\":\"panel_2d6c60e3-32cc-4746-bc7d-3fa40b80447c\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":23,\"i\":\"bc34dc1a-ba27-489e-a950-90a978974351\",\"w\":48,\"x\":0,\"y\":180},\"panelIndex\":\"bc34dc1a-ba27-489e-a950-90a978974351\",\"panelRefName\":\"panel_bc34dc1a-ba27-489e-a950-90a978974351\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-1h", - "timeRestore": true, - "timeTo": "now", - "title": "[Carbon Black Cloud] Alert", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-7e095a40-e325-11ec-8642-e7f3d8b25a9b", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95", - "name": "c54d9223-56ad-42b4-9452-a44657dbcd6e:panel_c54d9223-56ad-42b4-9452-a44657dbcd6e", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95", - "name": "d3728fd5-5390-4448-8f26-277521569f30:panel_d3728fd5-5390-4448-8f26-277521569f30", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95", - "name": "f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c:panel_f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95", - "name": "5f57acd4-74a8-4d97-9e7b-d7b069efc867:panel_5f57acd4-74a8-4d97-9e7b-d7b069efc867", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95", - "name": "909c2914-4695-42dd-aa36-93e043a5c025:panel_909c2914-4695-42dd-aa36-93e043a5c025", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95", - "name": "c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5:panel_c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95", - "name": "9e320d15-f9df-4aea-9564-ac1c4257b51b:panel_9e320d15-f9df-4aea-9564-ac1c4257b51b", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95", - "name": "5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c:panel_5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95", - "name": "7da33ed3-29d9-4fe1-87a9-4debfc7bdd24:panel_7da33ed3-29d9-4fe1-87a9-4debfc7bdd24", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95", - "name": "ed2de824-c493-4240-a6b5-329889c40c43:panel_ed2de824-c493-4240-a6b5-329889c40c43", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95", - "name": "a6d4e61e-57bc-413a-8c68-5f55ab59e16a:panel_a6d4e61e-57bc-413a-8c68-5f55ab59e16a", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95", - "name": "bf749130-3138-45fe-a010-5b30b4636e7b:panel_bf749130-3138-45fe-a010-5b30b4636e7b", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95", - "name": "44ed553e-d5cc-4841-85e9-0d8af122086a:panel_44ed553e-d5cc-4841-85e9-0d8af122086a", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95", - "name": "cd3cb74e-b13e-4a52-a48c-82d13a59421a:panel_cd3cb74e-b13e-4a52-a48c-82d13a59421a", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95", - "name": "42b64f1c-9526-4430-8f62-cc6596cf07d7:panel_42b64f1c-9526-4430-8f62-cc6596cf07d7", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95", - "name": "b2fe20be-cad5-4bfa-abd1-c9b069fd2494:panel_b2fe20be-cad5-4bfa-abd1-c9b069fd2494", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95", - "name": "ef6af3c0-10e9-46af-933c-a032464bdecf:panel_ef6af3c0-10e9-46af-933c-a032464bdecf", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95", - "name": "f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc:panel_f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95", - "name": "247ad399-6383-4bf0-910e-9cb6767781c3:panel_247ad399-6383-4bf0-910e-9cb6767781c3", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95", - "name": "5c60fc1b-5ad1-4036-8adc-ce9adf455758:panel_5c60fc1b-5ad1-4036-8adc-ce9adf455758", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b", - "name": "0a228399-6f69-4803-b4cd-65f30dca5890:panel_0a228399-6f69-4803-b4cd-65f30dca5890", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95", - "name": "5b015940-3fee-411a-be82-661078ead366:panel_5b015940-3fee-411a-be82-661078ead366", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95", - "name": "655bc1d2-5c31-4a38-9759-ab72f88bdb92:panel_655bc1d2-5c31-4a38-9759-ab72f88bdb92", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95", - "name": "8cdf7cdc-1858-4561-9e3b-5b5c73498586:panel_8cdf7cdc-1858-4561-9e3b-5b5c73498586", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95", - "name": "2d6c60e3-32cc-4746-bc7d-3fa40b80447c:panel_2d6c60e3-32cc-4746-bc7d-3fa40b80447c", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95", - "name": "bc34dc1a-ba27-489e-a950-90a978974351:panel_bc34dc1a-ba27-489e-a950-90a978974351", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 129cd1c62a..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"table\":null,\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":0,\"width\":831}]}}},\"gridData\":{\"h\":15,\"i\":\"c8d90872-b3b3-447d-a9fc-ada6409efeb2\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"c8d90872-b3b3-447d-a9fc-ada6409efeb2\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"16128cf1-2134-46a9-9fd3-19889a2a6c9e\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"16128cf1-2134-46a9-9fd3-19889a2a6c9e\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"84a10ea8-959c-4fe7-852d-835b3786ed17\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"84a10ea8-959c-4fe7-852d-835b3786ed17\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"cd3e5a79-3640-47ff-95cd-c54debb5ee2d\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"cd3e5a79-3640-47ff-95cd-c54debb5ee2d\",\"panelRefName\":\"panel_3\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Carbon Black Cloud] Audit Logs", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95", - "name": "panel_3", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.2/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json deleted file mode 100755 index e3f216759c..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"carbon_black_cloud.endpoint_event.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"f19543f7-04f5-42dd-849b-5f2fd8ca15f8\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"f19543f7-04f5-42dd-849b-5f2fd8ca15f8\",\"title\":\"[Carbon Black Cloud] Top 10 Event Types\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bee43023-c427-4176-ba31-2c4831cbc44e\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"bee43023-c427-4176-ba31-2c4831cbc44e\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1727b9fb-4ba0-4f78-aa54-0d52db62b624\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"1727b9fb-4ba0-4f78-aa54-0d52db62b624\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10a11498-6416-4b72-adc6-78a5d7937428\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"10a11498-6416-4b72-adc6-78a5d7937428\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"719006b6-32b2-4ed0-aecd-a1a1f37b471b\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"719006b6-32b2-4ed0-aecd-a1a1f37b471b\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"735f366c-91c5-4f33-961f-4db200acc05c\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"735f366c-91c5-4f33-961f-4db200acc05c\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"14a95a5a-61e8-459c-95bc-d1b11eed9054\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"14a95a5a-61e8-459c-95bc-d1b11eed9054\",\"panelRefName\":\"panel_5\",\"title\":\"[Carbon Black Cloud] Top 10 Device External IP\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3cc67760-3bba-4282-b91e-db120e8abe4e\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"3cc67760-3bba-4282-b91e-db120e8abe4e\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9df5251e-52af-4509-b30e-d62f8ef9a3a3\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"9df5251e-52af-4509-b30e-d62f8ef9a3a3\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"04d664de-8814-4314-8f6e-2774b11ab572\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"04d664de-8814-4314-8f6e-2774b11ab572\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c80e4ab0-c5b5-4916-9025-d006a37aa7ba\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"c80e4ab0-c5b5-4916-9025-d006a37aa7ba\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f57a7bf6-bc25-433b-8019-6489124907b6\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"f57a7bf6-bc25-433b-8019-6489124907b6\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c9984aec-8f3f-456a-aa80-b1fc314eb681\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"c9984aec-8f3f-456a-aa80-b1fc314eb681\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"3232147b-0914-4432-ba42-0c6c03414e4b\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"3232147b-0914-4432-ba42-0c6c03414e4b\",\"panelRefName\":\"panel_12\",\"title\":\"[Carbon Black Cloud] Top 10 Effective Reputation of Loaded Modules\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"391470e2-57a0-46c7-86bd-f66c6eb2ed66\",\"w\":48,\"x\":0,\"y\":105},\"panelIndex\":\"391470e2-57a0-46c7-86bd-f66c6eb2ed66\",\"panelRefName\":\"panel_13\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Carbon Black Cloud] Endpoint Event", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "f19543f7-04f5-42dd-849b-5f2fd8ca15f8:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7", - "name": "panel_13", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.2/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index ee0df3955b..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"604c7824-2086-4750-bd55-42ffffa9fc11\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"604c7824-2086-4750-bd55-42ffffa9fc11\",\"panelRefName\":\"panel_0\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by OS Type, OS Version\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"bd12665d-43af-45c1-b05e-556ed72556fa\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"bd12665d-43af-45c1-b05e-556ed72556fa\",\"panelRefName\":\"panel_1\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Sync Status\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"fab676af-f870-4fd6-ac5d-3e17a224aaa8\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"fab676af-f870-4fd6-ac5d-3e17a224aaa8\",\"panelRefName\":\"panel_2\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Severity\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e3d4c200-17e9-4303-9073-b9dc8c95a790\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"e3d4c200-17e9-4303-9073-b9dc8c95a790\",\"panelRefName\":\"panel_3\",\"title\":\"[Carbon Black Cloud] Top 10 Hosts with Highest Vulnerability Count\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"624500b9-5f23-4c1c-b84b-83c5f20b72bb\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"624500b9-5f23-4c1c-b84b-83c5f20b72bb\",\"panelRefName\":\"panel_4\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Sync Type\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"0ec67461-93e2-49df-bcd9-3407fabd5832\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"0ec67461-93e2-49df-bcd9-3407fabd5832\",\"panelRefName\":\"panel_5\",\"title\":\"[Carbon Black Cloud] Top 10 Hosts with Highest Risk Score\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"66d4f664-5644-48c9-b179-ddd94e1a3e46\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"66d4f664-5644-48c9-b179-ddd94e1a3e46\",\"panelRefName\":\"panel_6\",\"title\":\"[Carbon Black Cloud] Top 10 OS Names\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":20,\"i\":\"6e5579cc-cd91-4f7b-a221-e9bed77aa2b5\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"6e5579cc-cd91-4f7b-a221-e9bed77aa2b5\",\"panelRefName\":\"panel_7\",\"title\":\"[Carbon Black Cloud] Asset Vulnerability Assessment Essential Details\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"244dc3ee-7810-4f22-b915-bc0a8118fb2a\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"244dc3ee-7810-4f22-b915-bc0a8118fb2a\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Carbon Black Cloud] Asset Vulnerability Summary", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf", - "name": "panel_7", - "type": "search" - }, - { - "id": "carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf", - "name": "panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.2/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 94761c84e1..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8dc3cf12-046a-4901-b213-c29985291e77\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"8dc3cf12-046a-4901-b213-c29985291e77\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device External IP\",\"field\":\"carbon_black_cloud.watchlist_hit.device.external_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"\",\"type\":\"table\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4f7b5cef-a7e9-44a9-8769-44d5326a8df4\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"4f7b5cef-a7e9-44a9-8769-44d5326a8df4\",\"title\":\"[Carbon Black Cloud] Top 10 Device External IPs\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit Name\",\"field\":\"carbon_black_cloud.watchlist_hit.watchlists.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Watchlist Hit Names\",\"type\":\"table\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"3d454d18-6baa-40de-aa94-4ebfaee9a759\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"3d454d18-6baa-40de-aa94-4ebfaee9a759\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"event.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Severity\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"b0289aae-02bb-472e-8a22-07ff9f5d2372\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"b0289aae-02bb-472e-8a22-07ff9f5d2372\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Reputation\",\"field\":\"carbon_black_cloud.watchlist_hit.process.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"d29f5a98-736d-4f47-877e-b4552d15f889\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"d29f5a98-736d-4f47-877e-b4552d15f889\",\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Process Reputation\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Reputation\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Process Reputation\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"ae5c96d5-b7d6-45f8-b57b-42cc190f990b\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"ae5c96d5-b7d6-45f8-b57b-42cc190f990b\",\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Parent Process Reputation\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f3ba83bc-4f34-4131-9a0c-bac18ec92ac0\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"f3ba83bc-4f34-4131-9a0c-bac18ec92ac0\",\"panelRefName\":\"panel_1\",\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Names\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5271fb1f-64a6-461e-b2de-4abc76736af6\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"5271fb1f-64a6-461e-b2de-4abc76736af6\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9c2fdcbe-43cb-4070-88ef-03e6e5082636\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"9c2fdcbe-43cb-4070-88ef-03e6e5082636\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bc0503e7-6c6d-4edf-a76e-17a74f7d0957\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"bc0503e7-6c6d-4edf-a76e-17a74f7d0957\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"d02cda3a-ceef-4766-b25b-456733be2a66\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"d02cda3a-ceef-4766-b25b-456733be2a66\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5b66a72e-ce08-441c-8705-bb632b896745\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"5b66a72e-ce08-441c-8705-bb632b896745\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6bff08c7-8ffb-423e-87de-f7585aa6bc86\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"6bff08c7-8ffb-423e-87de-f7585aa6bc86\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"437c123b-c447-476e-a28b-f3d965a50968\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"437c123b-c447-476e-a28b-f3d965a50968\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"33d80097-0089-4b48-8fd9-5dcda9e58e48\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"33d80097-0089-4b48-8fd9-5dcda9e58e48\",\"panelRefName\":\"panel_9\",\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher States\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"50a006ac-7108-47e5-adef-876c15fc8b44\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"50a006ac-7108-47e5-adef-876c15fc8b44\",\"panelRefName\":\"panel_10\",\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher States\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":31,\"i\":\"cfec84cb-87af-4b98-b855-17372eee70c8\",\"w\":48,\"x\":0,\"y\":120},\"panelIndex\":\"cfec84cb-87af-4b98-b855-17372eee70c8\",\"panelRefName\":\"panel_11\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Carbon Black Cloud] Watchlist Hit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "4f7b5cef-a7e9-44a9-8769-44d5326a8df4:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3d454d18-6baa-40de-aa94-4ebfaee9a759:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b0289aae-02bb-472e-8a22-07ff9f5d2372:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d29f5a98-736d-4f47-877e-b4552d15f889:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ae5c96d5-b7d6-45f8-b57b-42cc190f990b:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826", - "name": "panel_11", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.2/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json deleted file mode 100755 index fde5382f93..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "carbon_black_cloud.watchlist_hit.watchlists.name", - "process.command_line", - "process.parent.command_line", - "process.executable", - "process.parent.executable", - "carbon_black_cloud.watchlist_hit.ioc.id", - "carbon_black_cloud.watchlist_hit.ioc.hit" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Watchlist Hit Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index fdc104f3b2..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.id", - "client.user.id", - "event.reason", - "client.ip" - ], - "description": "", - "grid": {}, - "hideChart": true, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Audit Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.2/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 800a5cb006..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "carbon_black_cloud.endpoint_event.type", - "process.command_line", - "process.parent.command_line", - "dll.path", - "carbon_black_cloud.endpoint_event.target_cmdline", - "process.executable", - "process.parent.executable" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Endpoint Events Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 1a37e59347..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.id", - "event.reason", - "event.url", - "carbon_black_cloud.alert.threat_indicators.process_name", - "carbon_black_cloud.alert.category" - ], - "description": "", - "grid": {}, - "hideChart": true, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Alerts Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.2/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index c060c3bd41..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.hostname", - "vulnerability.severity", - "vulnerability.score.base", - "carbon_black_cloud.asset_vulnerability_summary.vuln_count" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Asset Vulnerability Assessment Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json deleted file mode 100755 index bf6bf9170c..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Publisher State", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher State\",\"field\":\"carbon_black_cloud.watchlist_hit.process.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher State\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 329118ed72..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by OS, OS version", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS\",\"field\":\"host.os.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Version\",\"field\":\"host.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":true,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by OS, OS version\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index fb78529067..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Client IPs", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client IPs\",\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Client IPs\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index edfb4ab922..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Threat Indicators TTPS", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Indicators TTPS\",\"field\":\"carbon_black_cloud.alert.threat_indicators.ttps\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Threat Indicators TTPS\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json deleted file mode 100755 index e058315a1e..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Actions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Actions\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Top 10 Actions\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json deleted file mode 100755 index e9926e3521..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Watchlist Hit by OS", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS\",\"field\":\"carbon_black_cloud.watchlist_hit.device.os\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by OS\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 5c97a8d4eb..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Severity", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"event.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Severity\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 8bb3adabfb..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Parent Process Publisher State", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Publisher State\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher State\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 7bec55f465..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Child Process Username", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Username\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":9},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Username\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index e4b7fe64f8..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Type\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 6b1cb56ea0..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Endpoint Events by Event Origin", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Origin\",\"field\":\"carbon_black_cloud.endpoint_event.event_origin\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by Event Origin\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index c59f3f2623..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Category of the Threat Cause", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category of the Threat Cause\",\"field\":\"carbon_black_cloud.alert.threat_cause.threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Category of the Threat Cause\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 0a01e78828..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Publisher Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher Name\",\"field\":\"carbon_black_cloud.watchlist_hit.process.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 682f389163..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Endpoint Events by OS", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device OS\",\"field\":\"carbon_black_cloud.endpoint_event.device.os\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by OS\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 7af6d5ad55..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 IOC Hits", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Hit\",\"field\":\"carbon_black_cloud.watchlist_hit.ioc.hit\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 IOC Hits\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 1c116157a2..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Category", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category\",\"field\":\"carbon_black_cloud.alert.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Category\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 3ced47d3fe..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Publisher State", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher State\",\"field\":\"carbon_black_cloud.endpoint_event.process.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher State\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 60cf2f819b..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by OS Type, OS Version", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Type\",\"field\":\"host.os.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Version\",\"field\":\"host.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"row\":true,\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by OS Type, OS Version\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-5a5dad90-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-5a5dad90-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 411603d6cc..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-5a5dad90-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"carbon_black_cloud.asset_vulnerability_summary.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":2},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Distribution of Asset Vulnerability Summary by Type\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-5a5dad90-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 811d8c6112..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Source of the Threat Cause", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source of the Threat Cause\",\"field\":\"carbon_black_cloud.alert.threat_cause.vector\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Source of the Threat Cause\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index e390c83ecc..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by IOC field", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Field\",\"field\":\"carbon_black_cloud.alert.ioc.field\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by IOC field\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-5f690780-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-5f690780-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index bdd43d6d65..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-5f690780-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by OS Type", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.os.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by OS Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-5f690780-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-6496b680-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-6496b680-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index a8622511b3..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-6496b680-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by OS Architecture", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.architecture\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by OS Architecture\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6496b680-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 02160d4bea..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Top 10 OS Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Names\",\"field\":\"host.os.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"row\":false,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 OS Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 6c64141f00..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Top 10 Hosts with Highest Vulnerability Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Vulnerability Count\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.vuln_count\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Hosts with Highest Vulnerability Count\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 630d474e6e..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Workflow State", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Workflow State\",\"field\":\"carbon_black_cloud.alert.workflow.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Workflow State\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 228daf684c..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Parent Process Publisher Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Publisher Name\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 1bd12c5d2e..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by Severity", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"vulnerability.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Severity\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b.json deleted file mode 100755 index 0919e5e20a..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Threat Cause Actor Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Cause Actor Name\",\"field\":\"carbon_black_cloud.alert.threat_cause.actor.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Threat Cause Actor Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 0a3d26dad2..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Report Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Report Name\",\"field\":\"carbon_black_cloud.watchlist_hit.report.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Report Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 6e873422cb..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Top 10 Hosts with Highest Risk Score", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Risk Score\",\"field\":\"vulnerability.score.base\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Hosts with Highest Risk Score\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 48a0ff614a..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Publisher Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher Name\",\"field\":\"carbon_black_cloud.endpoint_event.process.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index b549ad14a1..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by Sync Type", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sync type\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.sync.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Sync Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 116934a90e..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Child Process Publisher State", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Publisher State\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Publisher State\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index ebce21d74d..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by Sync Status", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sync Status\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.sync.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Sync Status\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-80778dc0-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-80778dc0-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 8f11ac69cf..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-80778dc0-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Top 10 Hosts with Severity", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Severity\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"2-orderAgg\",\"params\":{\"field\":\"vulnerability.severity\"},\"schema\":\"orderAgg\",\"type\":\"cardinality\"},\"orderBy\":\"custom\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Hosts with Severity\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-80778dc0-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 5d57824451..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 IOC Hit", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Hit\",\"field\":\"carbon_black_cloud.alert.ioc.hit\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 IOC Hit\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index dd5f86134d..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Watchlist Hit", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit\",\"field\":\"carbon_black_cloud.alert.watchlists.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Watchlist Hit\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 60669ee962..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Threat Cause Reputation", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Cause Reputation\",\"field\":\"carbon_black_cloud.alert.threat_cause.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Threat Cause Reputation\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 19ad6bf381..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Threat Indicators Process Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Indicators Process Name\",\"field\":\"carbon_black_cloud.alert.threat_indicators.process_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Threat Indicators Process Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 7992c14128..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Devices", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Name\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Devices\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index ebcc102bf4..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Run State", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Run State\",\"field\":\"carbon_black_cloud.alert.run_state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Run State\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index bf3592d08f..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Blocked Threat Category", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Blocked Threat Category\",\"field\":\"carbon_black_cloud.alert.blocked_threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Blocked Threat Category\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 1025e00226..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Sensor Action", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sensor Action\",\"field\":\"carbon_black_cloud.alert.sensor_action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Sensor Action\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index c4ce665f33..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Device Username", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Username\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device Username\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 7db345ec9b..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Audit Logs by Flag Status", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Flagged\",\"field\":\"carbon_black_cloud.audit.flagged\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Audit Logs by Flag Status\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 37864260d1..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Effective reputation of the loaded modules", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Effective Reputation of Loaded Modules\",\"field\":\"carbon_black_cloud.endpoint_event.modload.effective_reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Effective reputation of the loaded modules\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json deleted file mode 100755 index cf20544145..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Child Process Publisher Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Publisher Name\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":8},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Publisher Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json deleted file mode 100755 index dd2d0ee97a..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Usernames", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Username\",\"field\":\"carbon_black_cloud.watchlist_hit.process.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Usernames\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json deleted file mode 100755 index bb4fb20b4b..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Device Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Name\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 3a76cb6cae..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Endpoint Events by Sensor Actions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sensor Action\",\"field\":\"carbon_black_cloud.endpoint_event.sensor_action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by Sensor Actions\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 29d985b4d8..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Watchlist Hit by Report Tags", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit by Report Tag\",\"field\":\"carbon_black_cloud.watchlist_hit.report.tags\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Report Tags\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 50933d86cc..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Not Blocked Threat Category", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Not Blocked Threat Category\",\"field\":\"carbon_black_cloud.alert.not_blocked_threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Not Blocked Threat Category\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index bf02f82c2e..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Policy Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Name\",\"field\":\"carbon_black_cloud.alert.policy.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Policy Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index bfebab9f24..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Reason Codes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Reason Codes\",\"field\":\"carbon_black_cloud.alert.reason_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Reason Codes\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 85bf297c56..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Parent Process Usernames", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Username\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Usernames\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 2ad0964cbb..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Request URLs", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"URL\",\"field\":\"url.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Request URLs\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index cb945df49b..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Kill Chain Status", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Kill Chain Status\",\"field\":\"carbon_black_cloud.alert.kill_chain_status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Kill Chain Status\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index fc1c6812f0..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Process Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Name\",\"field\":\"process.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Process Name\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 3c04444ca9..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Device External IP", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device External IP\",\"field\":\"carbon_black_cloud.endpoint_event.device.external_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device External IP\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index a79db35e93..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Alert Type", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Type\",\"field\":\"carbon_black_cloud.alert.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Alert Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-f75eabb0-8d8b-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-f75eabb0-8d8b-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index d3f393c0d5..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-f75eabb0-8d8b-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Threat Cause Actor Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Cause Actor Name\",\"field\":\"carbon_black_cloud.alert.threat_cause.actor.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Threat Cause Actor Name\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-f75eabb0-8d8b-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 84fedf340e..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Username", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Username\",\"field\":\"carbon_black_cloud.endpoint_event.process.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Username\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 1c30c4f320..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Policy Applied", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Applied\",\"field\":\"carbon_black_cloud.alert.policy.applied\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Policy Applied\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 4a17555983..0000000000 --- a/packages/carbon_black_cloud/1.0.2/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Target Value", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target Value\",\"field\":\"carbon_black_cloud.alert.target_value\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Target Value\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.2/manifest.yml b/packages/carbon_black_cloud/1.0.2/manifest.yml deleted file mode 100755 index a8ab1f00f1..0000000000 --- a/packages/carbon_black_cloud/1.0.2/manifest.yml +++ /dev/null @@ -1,136 +0,0 @@ -format_version: 1.0.0 -name: carbon_black_cloud -title: VMware Carbon Black Cloud -version: 1.0.2 -license: basic -description: Collect logs from VMWare Carbon Black Cloud with Elastic Agent. -type: integration -categories: - - security -release: ga -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -screenshots: - - src: /img/carbon_black_cloud-screenshot.png - title: Carbon Black Cloud alert dashboard screenshot - size: 600x600 - type: image/png -icons: - - src: /img/carbon_black_cloud-logo.svg - title: Carbon Black Cloud logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: carbon_black_cloud - title: Carbon Black Cloud - description: Collect Logs from Carbon Black Cloud - inputs: - - type: httpjson - title: Collect Carbon Black Cloud logs via API - description: Collect Carbon Black Cloud logs via API - vars: - - name: hostname - type: text - title: Hostname - description: Carbon Black Cloud console Hostname. Find hostname in the console dashboard at the beginning of the web address (Add https:// before the hostname). - required: true - - name: org_key - type: text - title: Organization Key - description: Organization Key. - required: true - - name: custom_api_id - type: text - title: Custom API ID - description: API ID with Custom Access Level type. - required: true - - name: custom_api_secret_key - type: password - title: Custom API Secret Key - description: API Secret Key with Custom Access Level type - required: true - - name: api_id - type: text - title: API ID - description: API ID with API Access Level type. - required: true - - name: api_secret_key - type: password - title: API Secret Key - description: API Secret Key with API Access Level type - required: true - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- - - type: aws-s3 - title: Collect Carbon Black Cloud logs via AWS S3 - description: Collect Carbon Black Cloud logs via AWS S3 - vars: - - name: bucket_arn - type: text - title: Bucket ARN - multi: false - required: true - show_user: true - - name: access_key_id - type: password - title: Access Key ID - multi: false - required: true - show_user: true - - name: secret_access_key - type: password - title: Secret Access Key - multi: false - required: true - show_user: true - - name: number_of_workers - type: integer - title: Number of Workers - multi: false - required: false - show_user: false - default: 5 - description: Number of workers that will process the S3 objects listed. - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. -owner: - github: elastic/security-external-integrations diff --git a/packages/cisco_secure_endpoint/2.4.1/changelog.yml b/packages/cisco_secure_endpoint/2.4.1/changelog.yml deleted file mode 100755 index b24614d3e2..0000000000 --- a/packages/cisco_secure_endpoint/2.4.1/changelog.yml +++ /dev/null @@ -1,74 +0,0 @@ -# newer versions go on top -- version: "2.4.1" - changes: - - description: update read me with link to vendor documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3225 -- version: "2.4.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2778 -- version: "2.3.1" - changes: - - description: Fix typo in config template for ignoring host enrichment - type: bugfix - link: https://github.com/elastic/integrations/pull/3092 -- version: "2.3.0" - changes: - - description: Ensure pagination exits correctly and remove possible host fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2915 -- version: "2.2.0" - changes: - - description: Fix propagation of information from host.name. - type: enhancement - link: https://github.com/elastic/integrations/pull/2915 -- version: "2.1.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "2.1.0" - changes: - - description: Adding possibility to extract host and user data if possible. - type: enhancement - link: https://github.com/elastic/integrations/pull/2888 -- version: "2.0.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2395 - - description: Normalize MAC address; replace host.user.name with user.name - type: breaking-change - link: https://github.com/elastic/integrations/pull/2395 -- version: "1.0.0" - changes: - - description: GA integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2360 -- version: "0.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "0.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2253 -- version: "0.1.1" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1958 -- version: "0.1.0" - changes: - - description: Initial migration from Filebeat Module - type: enhancement - link: https://github.com/elastic/integrations/pull/1645 diff --git a/packages/cisco_secure_endpoint/2.4.1/data_stream/event/agent/stream/httpjson.yml.hbs b/packages/cisco_secure_endpoint/2.4.1/data_stream/event/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 8f85d95a48..0000000000 --- a/packages/cisco_secure_endpoint/2.4.1/data_stream/event/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,58 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "GET" -request.url: {{ url }} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -auth.basic.user: {{ client_id }} -auth.basic.password: {{ api_key }} - -request.transforms: -- set: - target: url.params.start_date - value: '[[.cursor.timestamp]]' - default: '[[ formatDate (now (parseDuration "-{{ initial_interval }}")) "2006-01-02T15:04:05-07:00" ]]' -- set: - target: url.params.limit - value: {{ limit }} - -request.rate_limit.limit: '[[ .last_response.header.Get "X-RateLimit-Limit" ]]' -request.rate_limit.reset: '[[ .last_response.header.Get "X-RateLimit-Reset" ]]' -request.rate_limit.remaining: '[[ .last_response.header.Get "X-RateLimit-Remaining" ]]' - -response.split: - target: body.data - keep_parent: true - -response.pagination: -- set: - target: url.value - value: '[[ .last_response.body.metadata.links.next ]]' - fail_on_template_error: true - -cursor: - timestamp: - value: '[[ .first_event.data.date ]]' - -{{#if tags.length}} -tags: -{{else if preserve_original_event}} -tags: -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/cisco_secure_endpoint/2.4.1/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_secure_endpoint/2.4.1/data_stream/event/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index e82a940d01..0000000000 --- a/packages/cisco_secure_endpoint/2.4.1/data_stream/event/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,634 +0,0 @@ ---- -description: Pipeline for parsing Cisco Secure Endpoint logs -processors: -- remove: - field: host - ignore_missing: true -- rename: - field: message - target_field: event.original - ignore_missing: true -- json: - field: event.original - target_field: json - if: ctx?.json == null -######################### -## ECS General Mapping ## -######################### -- fingerprint: - fields: - - "json.data.timestamp" - - "json.data.timestamp_nanoseconds" - - "json.data.event_type_id" - - "json.data.connector_guid" - - "json.data.id" - - "json.data.detection_id" - target_field: "_id" - ignore_missing: true -- rename: - field: json.data - target_field: cisco.secure_endpoint - ignore_missing: true -- date: - field: cisco.secure_endpoint.timestamp - formats: - - UNIX - ignore_failure: true - -####################### -## ECS Event Mapping ## -####################### -- set: - field: ecs.version - value: '8.2.0' -- set: - field: event.kind - value: alert -- convert: - field: cisco.secure_endpoint.id - target_field: event.id - type: string - ignore_missing: true -- append: - field: event.category - value: file - if: ctx?.cisco?.secure_endpoint?.file?.file_name != null -- append: - field: event.category - value: malware - if: 'ctx?.cisco?.secure_endpoint?.file?.disposition == "Malicious"' -- rename: - field: cisco.secure_endpoint.event_type - target_field: event.action - ignore_missing: true -- convert: - field: cisco.secure_endpoint.event_type_id - target_field: event.code - type: string - ignore_missing: true -- set: - field: event.severity - value: 1 - if: ctx?.cisco?.secure_endpoint?.severity == 'Low' -- set: - field: event.severity - value: 2 - if: ctx?.cisco?.secure_endpoint?.severity == 'Medium' -- set: - field: event.severity - value: 3 - if: ctx?.cisco?.secure_endpoint?.severity == 'High' -- set: - field: event.severity - value: 4 - if: ctx?.cisco?.secure_endpoint?.severity == 'Critical' -- set: - field: event.severity - value: 0 - if: ctx?.cisco?.secure_endpoint?.severity == null -- date: - field: cisco.secure_endpoint.start_timestamp - target_field: event.start - formats: - - UNIX - ignore_failure: true - if: ctx?.cisco?.secure_endpoint?.start_timestamp != null -- rename: - field: cisco.secure_endpoint.techniques - target_field: threat.technique.id - if: "ctx?.cisco?.secure_endpoint?.techniques != null && ctx?.cisco?.secure_endpoint?.techniques.length > 0 && ctx?.cisco?.secure_endpoint?.techniques[0] instanceof String" -- rename: - field: cisco.secure_endpoint.tactics - target_field: threat.tactic.id - if: "ctx?.cisco?.secure_endpoint?.tactics != null && ctx?.cisco?.secure_endpoint?.tactics.length > 0 && ctx?.cisco?.secure_endpoint?.tactics[0] instanceof String" -- script: - lang: painless - source: | - if (ctx?.threat == null) { - ctx.threat = new HashMap(); - } - if (ctx?.threat.technique == null) { - ctx.threat.technique = new HashMap(); - } - if (ctx?.threat.technique.id == null) { - ctx.threat.technique.id = new ArrayList(); - } - if (ctx?.threat.technique.name == null) { - ctx.threat.technique.name = new ArrayList(); - } - if (ctx?.threat.technique.reference == null) { - ctx.threat.technique.reference = new ArrayList(); - } - for (technique in ctx?.cisco?.secure_endpoint?.techniques) { - if (technique.name != null) { - if (!ctx?.threat.technique.name.contains(technique.name)) { - ctx?.threat.technique.name.add(technique.name); - } - } - if (technique.external_id != null) { - if (!ctx?.threat.technique.id.contains(technique.external_id)) { - ctx?.threat.technique.id.add(technique.external_id); - } - } - if (technique.mitre_url != null) { - if (!ctx?.threat.technique.reference.contains(technique.mitre_url)) { - ctx?.threat.technique.reference.add(technique.mitre_url); - } - } - } - if: ctx?.cisco?.secure_endpoint?.tactics != null -- script: - lang: painless - source: | - if (ctx?.threat == null) { - ctx.threat = new HashMap(); - } - if (ctx?.threat.tactic == null) { - ctx.threat.tactic = new HashMap(); - } - if (ctx?.threat.tactic.id == null) { - ctx.threat.tactic.id = new ArrayList(); - } - if (ctx?.threat.tactic.name == null) { - ctx.threat.tactic.name = new ArrayList(); - } - if (ctx?.threat.tactic.reference == null) { - ctx.threat.tactic.reference = new ArrayList(); - } - for (tactic in ctx?.cisco?.secure_endpoint?.tactics) { - if (tactic.name != null) { - if (!ctx?.threat.tactic.name.contains(tactic.name)) { - ctx?.threat.tactic.name.add(tactic.name); - } - } - if (tactic.external_id != null) { - if (!ctx?.threat.tactic.id.contains(tactic.external_id)) { - ctx?.threat.tactic.id.add(tactic.external_id); - } - } - if (tactic.mitre_url != null) { - if (!ctx?.threat.tactic.reference.contains(tactic.mitre_url)) { - ctx?.threat.tactic.reference.add(tactic.mitre_url); - } - } - } - if: ctx?.cisco?.secure_endpoint?.tactics != null - -###################### -## ECS Host Mapping ## -###################### -- rename: - field: cisco.secure_endpoint.computer.hostname - target_field: host.name - ignore_missing: true -- rename: - field: cisco.secure_endpoint.hostname - target_field: host.name - ignore_missing: true - if: ctx?.host?.name == null -- script: - lang: painless - if: 'ctx.host?.name != null && ctx.host?.name.contains(".")' - source: | - def domain = ""; - def nameArray = ctx.host.name.toString().splitOnToken("."); - if (ctx.host == null) { - ctx.host = new HashMap(); - } - if (nameArray?.length > 0) { - for (int i = 1; i < nameArray.length; i++) { - domain += nameArray[i] + (i < nameArray.length - 1 ? "." : ""); - } - ctx.host.hostname = nameArray[0]; - ctx.host.domain = domain; - } -- set: - field: host.hostname - copy_from: host.name - ignore_empty_value: true - if: ctx?.host?.hostname == null -- script: - lang: painless - if: 'ctx.cisco?.secure_endpoint?.computer?.user != null && ctx.cisco?.secure_endpoint?.computer?.user.contains("@")' - source: > - String[] splitmail = ctx.cisco.secure_endpoint.computer.user.splitOnToken("@"); - if (ctx.user == null) { - ctx.user = new HashMap(); - } - if (splitmail.length != 2) { - return; - } - ctx.user.email = ctx.user.id; - ctx.user.domain = splitmail[1]; - ctx.user.name = splitmail[0]; -- rename: - field: cisco.secure_endpoint.computer.user - target_field: user.name - ignore_missing: true - if: ctx?.user?.name == null && ctx?.cisco?.secure_endpoint?.computer?.user != null - -######################### -## ECS Network Mapping ## -######################### -- rename: - field: cisco.secure_endpoint.network_info.nfm.protocol - target_field: network.transport - ignore_missing: true -- set: - field: network.direction - value: egress - if: "ctx?.cisco?.secure_endpoint?.network_info?.nfm?.direction == 'Outgoing connection from'" -- set: - field: network.direction - value: ingress - if: "ctx?.cisco?.secure_endpoint?.network_info?.nfm?.direction != null && ctx?.cisco?.secure_endpoint?.network_info?.nfm?.direction != 'Outgoing connection from'" - -##################### -## ECS URL Mapping ## -##################### -- uri_parts: - field: cisco.secure_endpoint.network_info.dirty_url - target_field: url - keep_original: true - remove_if_successful: true - if: ctx?.cisco?.secure_endpoint?.network_info?.dirty_url != null -- rename: - field: cisco.secure_endpoint.network_info.dirty_url - target_field: url.original - ignore_missing: true - -######################## -## ECS Source Mapping ## -######################## -- rename: - field: cisco.secure_endpoint.network_info.local_ip - target_field: source.ip - ignore_missing: true -- rename: - field: cisco.secure_endpoint.network_info.local_port - target_field: source.port - ignore_missing: true - -############################# -## ECS Destination Mapping ## -############################# -- rename: - field: cisco.secure_endpoint.network_info.remote_ip - target_field: destination.ip - ignore_missing: true -- rename: - field: cisco.secure_endpoint.network_info.remote_port - target_field: destination.port - ignore_missing: true - -###################### -## ECS File Mapping ## -###################### -- rename: - field: cisco.secure_endpoint.file.file_name - target_field: file.name - ignore_missing: true -- rename: - field: cisco.secure_endpoint.file.file_path - target_field: file.path - ignore_missing: true -- rename: - field: cisco.secure_endpoint.file.identity.sha256 - target_field: file.hash.sha256 - ignore_missing: true -- rename: - field: cisco.secure_endpoint.file.identity.sha1 - target_field: file.hash.sha1 - ignore_missing: true -- rename: - field: cisco.secure_endpoint.file.identity.md5 - target_field: file.hash.md5 - ignore_missing: true - -##################### -## ECS OS Mapping ## -##################### -- set: - field: host.os.family - value: windows - if: 'ctx?.file?.path != null && ctx?.file?.path.contains("\\\\")' -- set: - field: host.os.platform - value: windows - if: 'ctx?.file?.path != null && ctx?.file?.path.contains("\\\\")' - -######################### -## ECS Process Mapping ## -######################### -- rename: - field: cisco.secure_endpoint.file.parent.process_id - target_field: process.pid - ignore_missing: true -- rename: - field: cisco.secure_endpoint.network_info.parent.process_id - target_field: process.pid - ignore_missing: true -- rename: - field: cisco.secure_endpoint.file.parent.file_name - target_field: process.name - ignore_missing: true -- rename: - field: cisco.secure_endpoint.file.parent.identity.sha256 - target_field: process.hash.sha256 - ignore_missing: true -- rename: - field: cisco.secure_endpoint.file.parent.identity.sha1 - target_field: process.hash.sha1 - ignore_missing: true -- rename: - field: cisco.secure_endpoint.file.parent.identity.md5 - target_field: process.hash.md5 - ignore_missing: true -- rename: - field: cisco.secure_endpoint.file.parent.identity.md5 - target_field: process.hash.md5 - ignore_missing: true -- rename: - field: cisco.secure_endpoint.network_info.parent.file_name - target_field: process.name - ignore_missing: true -- rename: - field: cisco.secure_endpoint.network_info.parent.identity.sha256 - target_field: process.hash.sha256 - ignore_missing: true -- rename: - field: cisco.secure_endpoint.network_info.parent.identity.sha1 - target_field: process.hash.sha1 - ignore_missing: true -- rename: - field: cisco.secure_endpoint.network_info.parent.identity.md5 - target_field: process.hash.md5 - ignore_missing: true -- script: - description: Set process.command_line and process.args. - tag: set-process-command_line - lang: painless - source: | - def commandLine = ctx?.cisco?.secure_endpoint?.command_line?.arguments; - if (commandLine != null) { - commandLine = commandLine.trim(); - if (commandLine != "") { - ctx.process.command_line = commandLine; - - def args = []; - for (def v : / /.split(commandLine)) { - if (v != "") { - args.add(v); - } - } - if (args.size() > 0) { - ctx.process.args = args; - } - } - } -- script: - description: Set process.args_count and process.executable based on process.args. - tag: set-process-args_count - lang: painless - if: ctx?.process?.args != null - source: | - ctx.process.args_count = ctx.process.args.length; - if (ctx.process.args.length > 0) { - ctx.process.executable = ctx.process.args[0]; - } - -######################### -## ECS Related Mapping ## -######################### -- append: - field: related.user - value: "{{ user.name }}" - if: ctx?.user?.name != null - allow_duplicates: false -- append: - field: related.hash - value: "{{ process.hash.sha256 }}" - if: ctx?.process?.parent?.hash?.sha256 != null - allow_duplicates: false -- append: - field: related.hash - value: "{{ process.hash.md5 }}" - if: ctx?.process?.parent?.hash?.md5 != null - allow_duplicates: false -- append: - field: related.hash - value: "{{ process.hash.sha1 }}" - if: ctx?.process?.parent?.hash?.sha1 != null - allow_duplicates: false -- append: - field: related.hash - value: "{{ file.hash.sha256 }}" - if: ctx?.file?.hash?.sha256 != null - allow_duplicates: false -- append: - field: related.hash - value: "{{ file.hash.md5 }}" - if: ctx?.file?.hash?.md5 != null - allow_duplicates: false -- append: - field: related.hash - value: "{{ file.hash.sha1 }}" - if: ctx?.file?.hash?.sha1 != null - allow_duplicates: false -- append: - field: related.hash - value: "{{ cisco.secure_endpoint.network_info.parent.identity.sha256 }}" - if: ctx?.cisco?.secure_endpoint?.network_info?.parent?.identity?.sha256 != null - allow_duplicates: false -- append: - field: related.hash - value: "{{ cisco.secure_endpoint.network_info.parent.identity.md5 }}" - if: ctx?.cisco?.secure_endpoint?.network_info?.parent?.identity?.md5 != null - allow_duplicates: false -- append: - field: related.hash - value: "{{ cisco.secure_endpoint.network_info.parent.identity.sha1 }}" - if: ctx?.cisco?.secure_endpoint?.network_info?.parent?.identity?.sha1 != null - allow_duplicates: false -- append: - field: related.hosts - value: "{{ host.name }}" - if: ctx?.host?.name != null - allow_duplicates: false -- append: - field: related.ip - value: "{{ source.ip }}" - if: ctx?.source?.ip != null - allow_duplicates: false -- append: - field: related.ip - value: "{{ destination.ip }}" - if: ctx?.destination?.ip != null - allow_duplicates: false -- append: - field: related.ip - value: "{{ cisco.secure_endpoint.computer.external_ip }}" - if: ctx?.cisco?.secure_endpoint?.computer?.external_ip != null - allow_duplicates: false -- script: - lang: painless - source: | - if (ctx?.related == null) { - ctx.related = new HashMap(); - } - if (ctx?.related?.ip == null) { - ctx.related.ip = new ArrayList(); - } - for (addr in ctx?.cisco?.secure_endpoint?.computer?.network_addresses) { - if (addr.ip != null && !addr.ip.isEmpty()) { - if (!ctx?.related?.ip.contains(addr.ip)) { - ctx?.related?.ip.add(addr.ip); - } - } - } - if: ctx?.cisco?.secure_endpoint?.computer?.network_addresses != null -- script: - lang: painless - source: | - if (ctx?.cisco?.secure_endpoint?.related == null) { - ctx.cisco.secure_endpoint.related = new HashMap(); - } - if (ctx?.cisco?.secure_endpoint?.related?.mac == null) { - ctx.cisco.secure_endpoint.related.mac = new ArrayList(); - } - for (addr in ctx?.cisco?.secure_endpoint?.computer?.network_addresses) { - if (addr.mac != null && !addr.mac.isEmpty()) { - if (!ctx?.cisco?.secure_endpoint?.related?.mac.contains(addr.mac)) { - def mac_addr = addr.mac.replace(":","-").toUpperCase(); - ctx?.cisco?.secure_endpoint?.related?.mac.add(mac_addr); - } - } - } - if: ctx?.cisco?.secure_endpoint?.computer?.network_addresses != null -- foreach: - field: cisco.secure_endpoint.vulnerabilities - processor: - append: - field: cisco.secure_endpoint.related.cve - value: "{{ _ingest._value.cve }}" - allow_duplicates: false - if: ctx?.cisco?.secure_endpoint?.vulnerabilities != null - -############# -## GeoIP ## -############# -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - -############# -## Cleanup ## -############# -- date: - field: cisco.secure_endpoint.threat_hunting.incident_start_time - target_field: cisco.secure_endpoint.threat_hunting.incident_start_time - formats: - - UNIX - ignore_failure: true - if: ctx?.cisco?.secure_endpoint?.threat_hunting?.incident_start_time != null -- date: - field: cisco.secure_endpoint.threat_hunting.incident_end_time - target_field: cisco.secure_endpoint.threat_hunting.incident_end_time - formats: - - UNIX - ignore_failure: true - if: ctx?.cisco?.secure_endpoint?.threat_hunting?.incident_end_time != null -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - if: ctx?.json != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -- remove: - field: - - cisco.secure_endpoint.computer.hostname - - cisco.secure_endpoint.computer.links - - cisco.secure_endpoint.computer.user - - cisco.secure_endpoint.date - - cisco.secure_endpoint.id - - cisco.secure_endpoint.severity - - cisco.secure_endpoint.start_date - - cisco.secure_endpoint.start_timestamp - - cisco.secure_endpoint.threat_hunting.tactics - - cisco.secure_endpoint.threat_hunting.techniques - - cisco.secure_endpoint.timestamp - - cisco.secure_endpoint.timestamp_nanoseconds - - json - ignore_missing: true -on_failure: -- remove: - field: - - json - ignore_missing: true -- set: - field: error.message - value: |- - Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" failed with message "{{{ _ingest.on_failure_message }}}" diff --git a/packages/cisco_secure_endpoint/2.4.1/data_stream/event/fields/agent.yml b/packages/cisco_secure_endpoint/2.4.1/data_stream/event/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/cisco_secure_endpoint/2.4.1/data_stream/event/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/cisco_secure_endpoint/2.4.1/data_stream/event/fields/base-fields.yml b/packages/cisco_secure_endpoint/2.4.1/data_stream/event/fields/base-fields.yml deleted file mode 100755 index 351ac77130..0000000000 --- a/packages/cisco_secure_endpoint/2.4.1/data_stream/event/fields/base-fields.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: cisco_secure_endpoint -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cisco_secure_endpoint.event -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword diff --git a/packages/cisco_secure_endpoint/2.4.1/data_stream/event/fields/ecs.yml b/packages/cisco_secure_endpoint/2.4.1/data_stream/event/fields/ecs.yml deleted file mode 100755 index 88f37ca4c9..0000000000 --- a/packages/cisco_secure_endpoint/2.4.1/data_stream/event/fields/ecs.yml +++ /dev/null @@ -1,260 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: |- - Array of process arguments, starting with the absolute path to the executable. - May be filtered to protect sensitive information. - name: process.args - type: keyword -- description: |- - Length of the process.args array. - This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - name: process.args_count - type: long -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: SHA1 hash. - name: process.hash.sha1 - type: keyword -- description: SHA256 hash. - name: process.hash.sha256 - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) - name: threat.tactic.id - type: keyword -- description: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) - name: threat.tactic.reference - type: keyword -- description: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) - name: threat.tactic.name - type: keyword -- description: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - name: threat.technique.id - type: keyword -- description: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - multi_fields: - - name: text - type: match_only_text - name: threat.technique.name - type: keyword -- description: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - name: threat.technique.reference - type: keyword diff --git a/packages/cisco_secure_endpoint/2.4.1/data_stream/event/fields/fields.yml b/packages/cisco_secure_endpoint/2.4.1/data_stream/event/fields/fields.yml deleted file mode 100755 index 68cdf7aad9..0000000000 --- a/packages/cisco_secure_endpoint/2.4.1/data_stream/event/fields/fields.yml +++ /dev/null @@ -1,282 +0,0 @@ -- name: cisco.secure_endpoint - type: group - release: beta - default_field: false - description: > - Module for parsing Cisco Secure Endpoint logs. - - fields: - - name: timestamp_nanoseconds - type: date - description: > - The timestamp in Epoch nanoseconds. - - - name: event_type_id - type: long - description: > - A sub ID of the event, depending on event type. - - - name: detection - type: keyword - description: > - The name of the malware detected. - - - name: detection_id - type: keyword - description: > - The ID of the detection. - - - name: connector_guid - type: keyword - description: > - The GUID of the connector sending information to AMP. - - - name: group_guids - type: keyword - description: > - An array of group GUIDS related to the connector sending information to AMP. - - - name: vulnerabilities - type: flattened - description: > - An array of related vulnerabilities to the malicious event. - - - name: scan.description - type: keyword - description: > - Description of an event related to a scan being initiated, for example the specific directory name. - - - name: scan.clean - type: boolean - description: > - Boolean value if a scanned file was clean or not. - - - name: scan.scanned_files - type: long - description: > - Count of files scanned in a directory. - - - name: scan.scanned_processes - type: long - description: > - Count of processes scanned related to a single scan event. - - - name: scan.scanned_paths - type: long - description: > - Count of different directories scanned related to a single scan event. - - - name: scan.malicious_detections - type: long - description: > - Count of malicious files or documents detected related to a single scan event. - - - name: computer.connector_guid - type: keyword - description: > - The GUID of the connector, similar to top level connector_guid, but unique if multiple connectors are involved. - - - name: computer.external_ip - type: ip - description: > - The external IP of the related host. - - - name: computer.active - type: boolean - description: > - If the current endpoint is active or not. - - - name: computer.network_addresses - type: flattened - description: > - All network interface information on the related host. - - - name: file.disposition - type: keyword - description: > - Categorization of file, for example "Malicious" or "Clean". - - - name: network_info.disposition - type: keyword - description: > - Categorization of a network event related to a file, for example "Malicious" or "Clean". - - - name: network_info.nfm.direction - type: keyword - description: > - The current direction based on source and destination IP. - - - name: related.mac - type: keyword - description: > - An array of all related MAC addresses. - - - name: related.cve - type: keyword - description: > - An array of all related CVEs - - - name: cloud_ioc.description - type: keyword - description: > - Description of the related IOC for specific IOC events from AMP. - - - name: cloud_ioc.short_description - type: keyword - description: > - Short description of the related IOC for specific IOC events from AMP. - - - name: network_info.parent.disposition - type: keyword - description: > - Categorization of a IOC for example "Malicious" or "Clean". - - - name: network_info.parent.identity.md5 - type: keyword - description: > - MD5 hash of the related IOC. - - - name: network_info.parent.identity.sha1 - type: keyword - description: > - SHA1 hash of the related IOC. - - - name: network_info.parent.identify.sha256 - type: keyword - description: > - SHA256 hash of the related IOC. - - - name: file.archived_file.disposition - type: keyword - description: > - Categorization of a file archive related to a file, for example "Malicious" or "Clean". - - - name: file.archived_file.identity.md5 - type: keyword - description: > - MD5 hash of the archived file related to the malicious event. - - - name: file.archived_file.identity.sha1 - type: keyword - description: > - SHA1 hash of the archived file related to the malicious event. - - - name: file.archived_file.identity.sha256 - type: keyword - description: > - SHA256 hash of the archived file related to the malicious event. - - - name: file.attack_details.application - type: keyword - description: > - The application name related to Exploit Prevention events. - - - name: file.attack_details.attacked_module - type: keyword - description: > - Path to the executable or dll that was attacked and detected by Exploit Prevention. - - - name: file.attack_details.base_address - type: keyword - description: > - The base memory address related to the exploit detected. - - - name: file.attack_details.suspicious_files - type: keyword - description: > - An array of related files when an attack is detected by Exploit Prevention. - - - name: file.parent.disposition - type: keyword - description: > - Categorization of parrent, for example "Malicious" or "Clean". - - - name: error.description - type: keyword - description: > - Description of an endpoint error event. - - - name: error.error_code - type: long - description: > - The error code describing the related error event. - - - name: threat_hunting.severity - type: keyword - description: > - Severity result of the threat hunt registered to the malicious event. Can be Low-Critical. - - - name: threat_hunting.incident_report_guid - type: keyword - description: > - The GUID of the related threat hunting report. - - - name: threat_hunting.incident_hunt_guid - type: keyword - description: > - The GUID of the related investigation tracking issue. - - - name: threat_hunting.incident_title - type: keyword - description: > - Title of the incident related to the threat hunting activity. - - - name: threat_hunting.incident_summary - type: keyword - description: > - Summary of the outcome on the threat hunting activity. - - - name: threat_hunting.incident_remediation - type: keyword - description: > - Recommendations to resolve the vulnerability or exploited host. - - - name: threat_hunting.incident_id - type: long - description: > - The id of the related incident for the threat hunting activity. - - - name: threat_hunting.incident_end_time - type: date - description: > - When the threat hunt finalized or closed. - - - name: threat_hunting.incident_start_time - type: date - description: > - When the threat hunt was initiated. - - - name: file.attack_details.indicators - type: flattened - description: > - Different indicator types that matches the exploit detected, for example different MITRE tactics. - - - name: threat_hunting.tactics - type: flattened - description: > - List of all MITRE tactics related to the incident found. - - - name: threat_hunting.techniques - type: flattened - description: > - List of all MITRE techniques related to the incident found. - - - name: tactics - type: flattened - description: > - List of all MITRE tactics related to the incident found. - - - name: techniques - type: flattened - description: > - List of all MITRE techniques related to the incident found. - - - name: command_line.arguments - type: keyword - description: > - The CLI arguments related to the Cloud Threat IOC reported by Cisco. - - - name: bp_data - type: flattened - description: >- - Endpoint isolation information diff --git a/packages/cisco_secure_endpoint/2.4.1/data_stream/event/manifest.yml b/packages/cisco_secure_endpoint/2.4.1/data_stream/event/manifest.yml deleted file mode 100755 index 4cd9a9565f..0000000000 --- a/packages/cisco_secure_endpoint/2.4.1/data_stream/event/manifest.yml +++ /dev/null @@ -1,91 +0,0 @@ -title: Cisco Secure Endpoint logs -type: logs -streams: - - input: httpjson - vars: - - name: client_id - type: text - title: Client ID - description: Cisco Secure Endpoint Client ID - multi: false - required: true - show_user: true - - name: api_key - type: password - title: API Key - description: Cisco Secure Endpoint API Key - multi: false - required: true - show_user: true - - name: http_client_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: true - default: 60s - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - description: Interval at which the logs will be pulled. The value must be between 2m and 1h. - default: 1h - - name: url - type: text - title: API URL. - description: The API URL - multi: false - required: true - show_user: false - default: https://api.amp.cisco.com/v1/events?offset=0&limit=300 - - name: limit - type: text - title: Initial Interval - multi: false - required: true - show_user: false - description: Max number of logs pulled on each request - default: 100 - - name: initial_interval - type: text - title: Initial Interval - multi: false - required: true - show_user: true - description: Initial Interval for first log pull - default: 24h - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - cisco-secure_endpoint - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" - template_path: httpjson.yml.hbs - title: Cisco Secure Endpoint logs - description: Collect Cisco Secure Endpoint logs via the API diff --git a/packages/cisco_secure_endpoint/2.4.1/data_stream/event/sample_event.json b/packages/cisco_secure_endpoint/2.4.1/data_stream/event/sample_event.json deleted file mode 100755 index e5f9461194..0000000000 --- a/packages/cisco_secure_endpoint/2.4.1/data_stream/event/sample_event.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "@timestamp": "2021-01-13T10:13:08.000Z", - "agent": { - "ephemeral_id": "1bee52ec-b713-415e-9d9b-32c5217f9796", - "id": "83d8d392-d20c-40ef-a257-bf9cf314d1db", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "cisco": { - "secure_endpoint": { - "cloud_ioc": { - "description": "Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.", - "short_description": "W32.WinWord.Powershell" - }, - "computer": { - "active": true, - "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8", - "network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "38:1e:eb:ba:2c:15" - } - ] - }, - "connector_guid": "test_connector_guid", - "event_type_id": 1107296274, - "file": { - "disposition": "Clean", - "identity": {}, - "parent": { - "disposition": "Clean", - "identity": {} - } - }, - "group_guids": [ - "test_group_guid" - ], - "related": { - "mac": [ - "38-1E-EB-BA-2C-15" - ] - } - } - }, - "data_stream": { - "dataset": "cisco_secure_endpoint.event", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "83d8d392-d20c-40ef-a257-bf9cf314d1db", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "Cloud IOC", - "agent_id_status": "verified", - "category": [ - "file" - ], - "code": "1107296274", - "created": "2022-04-13T11:54:03.909Z", - "dataset": "cisco_secure_endpoint.event", - "id": "1515298355162029000", - "ingested": "2022-04-13T11:54:04Z", - "kind": "alert", - "original": "{\"data\":{\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"computer\":{\"active\":true,\"connector_guid\":\"test_connector_guid\",\"external_ip\":\"8.8.8.8\",\"hostname\":\"Demo_AMP\",\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\"},\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}]},\"connector_guid\":\"test_connector_guid\",\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}},\"group_guids\":[\"test_group_guid\"],\"id\":1515298355162029000,\"severity\":\"Medium\",\"start_date\":\"2021-01-13T10:13:08+00:00\",\"start_timestamp\":1610532788,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000},\"metadata\":{\"links\":{\"next\":\"http://7d3a7ffa9a19:8080/v1/events?start_date=2022-04-12T11:54:03+00:00\\u0026limit=1\\u0026offset=1\",\"self\":\"http://7d3a7ffa9a19:8080/v1/events?start_date=2022-04-12T11:54:03+00:00\\u0026limit=1\"},\"results\":{\"current_item_count\":1,\"index\":0,\"items_per_page\":1,\"total\":2}},\"version\":\"v1.2.0\"}", - "severity": 2, - "start": "2021-01-13T10:13:08.000Z" - }, - "file": { - "hash": { - "sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7" - }, - "name": "PowerShell.exe", - "path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe" - }, - "host": { - "hostname": "Demo_AMP", - "name": "Demo_AMP" - }, - "input": { - "type": "httpjson" - }, - "process": { - "hash": { - "sha256": "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2" - } - }, - "related": { - "hash": [ - "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7" - ], - "hosts": [ - "Demo_AMP" - ], - "ip": [ - "8.8.8.8", - "10.10.10.10" - ] - }, - "tags": [ - "cisco-secure_endpoint", - "forwarded", - "preserve_original_event" - ] -} \ No newline at end of file diff --git a/packages/cisco_secure_endpoint/2.4.1/docs/README.md b/packages/cisco_secure_endpoint/2.4.1/docs/README.md deleted file mode 100755 index 78546ec1cd..0000000000 --- a/packages/cisco_secure_endpoint/2.4.1/docs/README.md +++ /dev/null @@ -1,290 +0,0 @@ -# Cisco Secure Endpoint Integration - -This integration is for [Cisco Secure Endpoint](https://developer.cisco.com/amp-for-endpoints/) logs. It includes the following datasets for receiving logs over syslog or read from a file: - -- `event` dataset: supports Cisco Secure Endpoint Event logs. - -## Logs - -### Secure Endpoint - -The `event` dataset collects Cisco Secure Endpoint logs. - -An example event for `event` looks as following: - -```json -{ - "@timestamp": "2021-01-13T10:13:08.000Z", - "agent": { - "ephemeral_id": "1bee52ec-b713-415e-9d9b-32c5217f9796", - "id": "83d8d392-d20c-40ef-a257-bf9cf314d1db", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "cisco": { - "secure_endpoint": { - "cloud_ioc": { - "description": "Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.", - "short_description": "W32.WinWord.Powershell" - }, - "computer": { - "active": true, - "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8", - "network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "38:1e:eb:ba:2c:15" - } - ] - }, - "connector_guid": "test_connector_guid", - "event_type_id": 1107296274, - "file": { - "disposition": "Clean", - "identity": {}, - "parent": { - "disposition": "Clean", - "identity": {} - } - }, - "group_guids": [ - "test_group_guid" - ], - "related": { - "mac": [ - "38-1E-EB-BA-2C-15" - ] - } - } - }, - "data_stream": { - "dataset": "cisco_secure_endpoint.event", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "83d8d392-d20c-40ef-a257-bf9cf314d1db", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "Cloud IOC", - "agent_id_status": "verified", - "category": [ - "file" - ], - "code": "1107296274", - "created": "2022-04-13T11:54:03.909Z", - "dataset": "cisco_secure_endpoint.event", - "id": "1515298355162029000", - "ingested": "2022-04-13T11:54:04Z", - "kind": "alert", - "original": "{\"data\":{\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"computer\":{\"active\":true,\"connector_guid\":\"test_connector_guid\",\"external_ip\":\"8.8.8.8\",\"hostname\":\"Demo_AMP\",\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\"},\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}]},\"connector_guid\":\"test_connector_guid\",\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}},\"group_guids\":[\"test_group_guid\"],\"id\":1515298355162029000,\"severity\":\"Medium\",\"start_date\":\"2021-01-13T10:13:08+00:00\",\"start_timestamp\":1610532788,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000},\"metadata\":{\"links\":{\"next\":\"http://7d3a7ffa9a19:8080/v1/events?start_date=2022-04-12T11:54:03+00:00\\u0026limit=1\\u0026offset=1\",\"self\":\"http://7d3a7ffa9a19:8080/v1/events?start_date=2022-04-12T11:54:03+00:00\\u0026limit=1\"},\"results\":{\"current_item_count\":1,\"index\":0,\"items_per_page\":1,\"total\":2}},\"version\":\"v1.2.0\"}", - "severity": 2, - "start": "2021-01-13T10:13:08.000Z" - }, - "file": { - "hash": { - "sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7" - }, - "name": "PowerShell.exe", - "path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe" - }, - "host": { - "hostname": "Demo_AMP", - "name": "Demo_AMP" - }, - "input": { - "type": "httpjson" - }, - "process": { - "hash": { - "sha256": "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2" - } - }, - "related": { - "hash": [ - "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7" - ], - "hosts": [ - "Demo_AMP" - ], - "ip": [ - "8.8.8.8", - "10.10.10.10" - ] - }, - "tags": [ - "cisco-secure_endpoint", - "forwarded", - "preserve_original_event" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cisco.secure_endpoint.bp_data | Endpoint isolation information | flattened | -| cisco.secure_endpoint.cloud_ioc.description | Description of the related IOC for specific IOC events from AMP. | keyword | -| cisco.secure_endpoint.cloud_ioc.short_description | Short description of the related IOC for specific IOC events from AMP. | keyword | -| cisco.secure_endpoint.command_line.arguments | The CLI arguments related to the Cloud Threat IOC reported by Cisco. | keyword | -| cisco.secure_endpoint.computer.active | If the current endpoint is active or not. | boolean | -| cisco.secure_endpoint.computer.connector_guid | The GUID of the connector, similar to top level connector_guid, but unique if multiple connectors are involved. | keyword | -| cisco.secure_endpoint.computer.external_ip | The external IP of the related host. | ip | -| cisco.secure_endpoint.computer.network_addresses | All network interface information on the related host. | flattened | -| cisco.secure_endpoint.connector_guid | The GUID of the connector sending information to AMP. | keyword | -| cisco.secure_endpoint.detection | The name of the malware detected. | keyword | -| cisco.secure_endpoint.detection_id | The ID of the detection. | keyword | -| cisco.secure_endpoint.error.description | Description of an endpoint error event. | keyword | -| cisco.secure_endpoint.error.error_code | The error code describing the related error event. | long | -| cisco.secure_endpoint.event_type_id | A sub ID of the event, depending on event type. | long | -| cisco.secure_endpoint.file.archived_file.disposition | Categorization of a file archive related to a file, for example "Malicious" or "Clean". | keyword | -| cisco.secure_endpoint.file.archived_file.identity.md5 | MD5 hash of the archived file related to the malicious event. | keyword | -| cisco.secure_endpoint.file.archived_file.identity.sha1 | SHA1 hash of the archived file related to the malicious event. | keyword | -| cisco.secure_endpoint.file.archived_file.identity.sha256 | SHA256 hash of the archived file related to the malicious event. | keyword | -| cisco.secure_endpoint.file.attack_details.application | The application name related to Exploit Prevention events. | keyword | -| cisco.secure_endpoint.file.attack_details.attacked_module | Path to the executable or dll that was attacked and detected by Exploit Prevention. | keyword | -| cisco.secure_endpoint.file.attack_details.base_address | The base memory address related to the exploit detected. | keyword | -| cisco.secure_endpoint.file.attack_details.indicators | Different indicator types that matches the exploit detected, for example different MITRE tactics. | flattened | -| cisco.secure_endpoint.file.attack_details.suspicious_files | An array of related files when an attack is detected by Exploit Prevention. | keyword | -| cisco.secure_endpoint.file.disposition | Categorization of file, for example "Malicious" or "Clean". | keyword | -| cisco.secure_endpoint.file.parent.disposition | Categorization of parrent, for example "Malicious" or "Clean". | keyword | -| cisco.secure_endpoint.group_guids | An array of group GUIDS related to the connector sending information to AMP. | keyword | -| cisco.secure_endpoint.network_info.disposition | Categorization of a network event related to a file, for example "Malicious" or "Clean". | keyword | -| cisco.secure_endpoint.network_info.nfm.direction | The current direction based on source and destination IP. | keyword | -| cisco.secure_endpoint.network_info.parent.disposition | Categorization of a IOC for example "Malicious" or "Clean". | keyword | -| cisco.secure_endpoint.network_info.parent.identify.sha256 | SHA256 hash of the related IOC. | keyword | -| cisco.secure_endpoint.network_info.parent.identity.md5 | MD5 hash of the related IOC. | keyword | -| cisco.secure_endpoint.network_info.parent.identity.sha1 | SHA1 hash of the related IOC. | keyword | -| cisco.secure_endpoint.related.cve | An array of all related CVEs | keyword | -| cisco.secure_endpoint.related.mac | An array of all related MAC addresses. | keyword | -| cisco.secure_endpoint.scan.clean | Boolean value if a scanned file was clean or not. | boolean | -| cisco.secure_endpoint.scan.description | Description of an event related to a scan being initiated, for example the specific directory name. | keyword | -| cisco.secure_endpoint.scan.malicious_detections | Count of malicious files or documents detected related to a single scan event. | long | -| cisco.secure_endpoint.scan.scanned_files | Count of files scanned in a directory. | long | -| cisco.secure_endpoint.scan.scanned_paths | Count of different directories scanned related to a single scan event. | long | -| cisco.secure_endpoint.scan.scanned_processes | Count of processes scanned related to a single scan event. | long | -| cisco.secure_endpoint.tactics | List of all MITRE tactics related to the incident found. | flattened | -| cisco.secure_endpoint.techniques | List of all MITRE techniques related to the incident found. | flattened | -| cisco.secure_endpoint.threat_hunting.incident_end_time | When the threat hunt finalized or closed. | date | -| cisco.secure_endpoint.threat_hunting.incident_hunt_guid | The GUID of the related investigation tracking issue. | keyword | -| cisco.secure_endpoint.threat_hunting.incident_id | The id of the related incident for the threat hunting activity. | long | -| cisco.secure_endpoint.threat_hunting.incident_remediation | Recommendations to resolve the vulnerability or exploited host. | keyword | -| cisco.secure_endpoint.threat_hunting.incident_report_guid | The GUID of the related threat hunting report. | keyword | -| cisco.secure_endpoint.threat_hunting.incident_start_time | When the threat hunt was initiated. | date | -| cisco.secure_endpoint.threat_hunting.incident_summary | Summary of the outcome on the threat hunting activity. | keyword | -| cisco.secure_endpoint.threat_hunting.incident_title | Title of the incident related to the threat hunting activity. | keyword | -| cisco.secure_endpoint.threat_hunting.severity | Severity result of the threat hunt registered to the malicious event. Can be Low-Critical. | keyword | -| cisco.secure_endpoint.threat_hunting.tactics | List of all MITRE tactics related to the incident found. | flattened | -| cisco.secure_endpoint.threat_hunting.techniques | List of all MITRE techniques related to the incident found. | flattened | -| cisco.secure_endpoint.timestamp_nanoseconds | The timestamp in Epoch nanoseconds. | date | -| cisco.secure_endpoint.vulnerabilities | An array of related vulnerabilities to the malicious event. | flattened | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha1 | SHA1 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | -| threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | -| threat.technique.reference | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - diff --git a/packages/cisco_secure_endpoint/2.4.1/img/cisco.svg b/packages/cisco_secure_endpoint/2.4.1/img/cisco.svg deleted file mode 100755 index 20ebebf197..0000000000 --- a/packages/cisco_secure_endpoint/2.4.1/img/cisco.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/cisco_secure_endpoint/2.4.1/manifest.yml b/packages/cisco_secure_endpoint/2.4.1/manifest.yml deleted file mode 100755 index d37e6b5f6c..0000000000 --- a/packages/cisco_secure_endpoint/2.4.1/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -format_version: 1.0.0 -name: cisco_secure_endpoint -title: Cisco Secure Endpoint (AMP) -version: 2.4.1 -license: basic -description: Collect logs from Cisco Secure Endpoint (AMP) with Elastic Agent. -type: integration -categories: - - network - - security -release: ga -conditions: - kibana.version: "^7.17.0 || ^8.0.0" -icons: - - src: /img/cisco.svg - title: cisco - size: 216x216 - type: image/svg+xml -policy_templates: - - name: cisco_secure_endpoint - title: Cisco Secure Endpoint logs - description: Collect logs from Cisco Secure Endpoint - inputs: - - type: httpjson - title: Collect logs from the Cisco Secure Endpoint API - description: Collecting logs from the Cisco Secure Endpoint API -owner: - github: elastic/security-external-integrations diff --git a/packages/crowdstrike/1.3.3/changelog.yml b/packages/crowdstrike/1.3.3/changelog.yml deleted file mode 100755 index effd0cd939..0000000000 --- a/packages/crowdstrike/1.3.3/changelog.yml +++ /dev/null @@ -1,165 +0,0 @@ -# newer versions go on top -- version: "1.3.3" - changes: - - description: Optimize FDR pipeline script processor. - type: bugfix - link: https://github.com/elastic/integrations/pull/3302 -- version: "1.3.2" - changes: - - description: Format source.mac as per ECS. - type: bugfix - link: https://github.com/elastic/integrations/pull/3302 -- version: "1.3.1" - changes: - - description: Update readme file. Added link to CrowdStrike docs - type: enhancement - link: https://github.com/elastic/integrations/pull/3057 -- version: "1.3.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.2.7" - changes: - - description: Move invalid field value - type: enhancement - link: https://github.com/elastic/integrations/pull/3098 -- version: "1.2.6" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.2.5" - changes: - - description: Add date parsing for BiosReleaseDate field. - type: bugfix - link: https://github.com/elastic/integrations/pull/2867 -- version: "1.2.4" - changes: - - description: Add missing field mapping for several event and host fields. - type: bugfix - link: https://github.com/elastic/integrations/pull/2869 -- version: "1.2.3" - changes: - - description: Change type of 'fdr_parsing_script' variable to 'yaml' so that the multi-line string creates a valid YAML config document. - type: bugfix - link: https://github.com/elastic/integrations/pull/2701 -- version: "1.2.2" - changes: - - description: Add Ingest Pipeline script to map IANA Protocol Numbers - type: bugfix - link: https://github.com/elastic/integrations/pull/2470 -- version: "1.2.1" - changes: - - description: Fix issue with "Is FDR Queue" selector having no effect. - type: bugfix - link: https://github.com/elastic/integrations/pull/2653 -- version: "1.2.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2398 -- version: "1.1.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.1.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.1.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2229 -- version: "1.0.4" - changes: - - description: Add ability to read from both FDR provided and user owned SQS queues for FDR. - type: bugfix - link: https://github.com/elastic/integrations/pull/2198 - - description: Pipeline fixes for FDR - type: bugfix - link: https://github.com/elastic/integrations/pull/2198 -- version: "1.0.3" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2022 -- version: "1.0.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1961 -- version: "1.0.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1812 -- version: '1.0.0' - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1630 -- version: "0.9.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1655 -- version: "0.8.1" - changes: - - description: Add proxy config - type: enhancement - link: https://github.com/elastic/integrations/pull/1648 -- version: "0.8.0" - changes: - - description: Add FDR data stream. - type: enhancement - link: https://github.com/elastic/integrations/pull/1522 - - description: Change Falcon ECS fields definition to use references - type: enhancement - link: https://github.com/elastic/integrations/pull/1522 - - description: Add cleanup processor to Falcon - type: enhancement - link: https://github.com/elastic/integrations/pull/1522 -- version: '0.7.1' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1378 -- version: "0.7.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.6.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1258 -- version: "0.5.0" - changes: - - description: update to ECS 1.10.0 and add event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1036 -- version: "0.4.1" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/841 -- version: "0.4.0" - changes: - - description: Moves edge processing to ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/774 -- version: "0.3.1" - changes: - - description: Change kibana.version constraint to be more conservative. - type: bugfix - link: https://github.com/elastic/integrations/pull/749 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/182 diff --git a/packages/crowdstrike/1.3.3/data_stream/falcon/agent/stream/log.yml.hbs b/packages/crowdstrike/1.3.3/data_stream/falcon/agent/stream/log.yml.hbs deleted file mode 100755 index 79e1726037..0000000000 --- a/packages/crowdstrike/1.3.3/data_stream/falcon/agent/stream/log.yml.hbs +++ /dev/null @@ -1,25 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -# Crowdstrike Falcon SIEM connector logs are multiline JSON by default -multiline.pattern: '^{' -multiline.negate: true -multiline.match: after -multiline.max_lines: 5000 -multiline.timeout: 10 -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/crowdstrike/1.3.3/data_stream/falcon/elasticsearch/ingest_pipeline/auth_activity_audit.yml b/packages/crowdstrike/1.3.3/data_stream/falcon/elasticsearch/ingest_pipeline/auth_activity_audit.yml deleted file mode 100755 index 1469046543..0000000000 --- a/packages/crowdstrike/1.3.3/data_stream/falcon/elasticsearch/ingest_pipeline/auth_activity_audit.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -processors: - - set: - field: event.kind - value: event - - append: - field: event.category - value: [authentication] - - append: - field: event.type - value: [change] - - convert: - field: crowdstrike.event.ServiceName - type: string - target_field: message - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.UserIp - target_field: source.ip - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.crowdstrike?.event?.UserIp != null && ctx?.crowdstrike?.event?.UserIp != "" - - script: - lang: painless - source: | - def regex = /([a-z0-9])([A-Z])/; - def replacement = "$1_$2"; - def action = ctx?.crowdstrike?.event?.OperationName; - if (action == null || action == "") return; - ctx["event.action"] = regex.matcher(action).replaceAll(replacement).toLowerCase(); diff --git a/packages/crowdstrike/1.3.3/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/1.3.3/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2a94af718b..0000000000 --- a/packages/crowdstrike/1.3.3/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,423 +0,0 @@ ---- -description: Ingest pipeline for normalizing CrowdStrike Falcon logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: crowdstrike - - remove: - field: - - host.name - ignore_missing: true - - remove: - field: crowdstrike.event.ProcessStartTime - ignore_missing: true - if: ctx?.crowdstrike?.event?.ProcessStartTime == 0 - - date: - field: crowdstrike.event.ProcessStartTime - target_field: crowdstrike.event.ProcessStartTime - timezone: UTC - formats: - - UNIX_MS - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.ProcessStartTime != null && - !(ctx.crowdstrike.event.ProcessStartTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.ProcessStartTime) + 1) >= 12 - - remove: - field: crowdstrike.event.ProcessEndTime - ignore_missing: true - if: ctx?.crowdstrike?.event?.ProcessEndTime == 0 - - date: - field: crowdstrike.event.ProcessEndTime - target_field: crowdstrike.event.ProcessEndTime - timezone: UTC - formats: - - UNIX_MS - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.ProcessEndTime != null && - !(ctx.crowdstrike.event.ProcessEndTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.ProcessEndTime) + 1) >= 12 - - remove: - field: crowdstrike.event.IncidentStartTime - ignore_missing: true - if: ctx?.crowdstrike?.event?.IncidentStartTime == 0 - - date: - field: crowdstrike.event.IncidentStartTime - target_field: crowdstrike.event.IncidentStartTime - timezone: UTC - formats: - - UNIX_MS - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.IncidentStartTime != null && - !(ctx.crowdstrike.event.IncidentStartTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.IncidentStartTime) + 1) >= 12 - - remove: - field: crowdstrike.event.IncidentEndTime - ignore_missing: true - if: ctx?.crowdstrike?.event?.IncidentEndTime == 0 - - date: - field: crowdstrike.event.IncidentEndTime - target_field: crowdstrike.event.IncidentEndTime - timezone: UTC - formats: - - UNIX_MS - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.IncidentEndTime != null && - !(ctx.crowdstrike.event.IncidentEndTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.IncidentEndTime) + 1) >= 12 - - remove: - field: crowdstrike.event.StartTimestamp - ignore_missing: true - if: ctx?.crowdstrike?.event?.StartTimestamp == 0 - - date: - field: crowdstrike.event.StartTimestamp - target_field: crowdstrike.event.StartTimestamp - timezone: UTC - formats: - - UNIX_MS - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.StartTimestamp != null && - !(ctx.crowdstrike.event.StartTimestamp instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.StartTimestamp) + 1) >= 12 - - remove: - field: crowdstrike.event.EndTimestamp - ignore_missing: true - if: ctx?.crowdstrike?.event?.EndTimestamp == 0 - - date: - field: crowdstrike.event.EndTimestamp - target_field: crowdstrike.event.EndTimestamp - timezone: UTC - formats: - - UNIX_MS - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.EndTimestamp != null && - !(ctx.crowdstrike.event.EndTimestamp instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.EndTimestamp) + 1) >= 12 - - remove: - field: crowdstrike.event.UTCTimestamp - ignore_missing: true - if: ctx?.crowdstrike?.event?.UTCTimestamp == 0 - - date: - field: crowdstrike.event.UTCTimestamp - target_field: crowdstrike.event.UTCTimestamp - timezone: UTC - formats: - - UNIX_MS - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.UTCTimestamp != null && - !(ctx.crowdstrike.event.UTCTimestamp instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.UTCTimestamp) + 1) >= 12 - - remove: - field: crowdstrike.metadata.eventCreationTime - ignore_missing: true - if: ctx?.crowdstrike?.metadata?.eventCreationTime == 0 - - date: - field: crowdstrike.metadata.eventCreationTime - target_field: crowdstrike.metadata.eventCreationTime - timezone: UTC - formats: - - UNIX_MS - ignore_failure: true - if: | - ctx?.crowdstrike?.metadata?.eventCreationTime != null && - !(ctx.crowdstrike.metadata.eventCreationTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.metadata.eventCreationTime) + 1) >= 12 - - date: - field: crowdstrike.event.ProcessStartTime - target_field: crowdstrike.event.ProcessStartTime - timezone: UTC - formats: - - UNIX - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.ProcessStartTime != null && - !(ctx.crowdstrike.event.ProcessStartTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.ProcessStartTime) + 1) < 12 - - date: - field: crowdstrike.event.ProcessEndTime - target_field: crowdstrike.event.ProcessEndTime - timezone: UTC - formats: - - UNIX - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.ProcessEndTime != null && - !(ctx.crowdstrike.event.ProcessEndTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.ProcessEndTime) + 1) < 12 - - date: - field: crowdstrike.event.IncidentStartTime - target_field: crowdstrike.event.IncidentStartTime - timezone: UTC - formats: - - UNIX - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.IncidentStartTime != null && - !(ctx.crowdstrike.event.IncidentStartTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.IncidentStartTime) + 1) < 12 - - date: - field: crowdstrike.event.IncidentEndTime - target_field: crowdstrike.event.IncidentEndTime - timezone: UTC - formats: - - UNIX - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.IncidentEndTime != null && - !(ctx.crowdstrike.event.IncidentEndTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.IncidentEndTime) + 1) < 12 - - date: - field: crowdstrike.event.StartTimestamp - target_field: crowdstrike.event.StartTimestamp - timezone: UTC - formats: - - UNIX - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.StartTimestamp != null && - !(ctx.crowdstrike.event.StartTimestamp instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.StartTimestamp) + 1) < 12 - - date: - field: crowdstrike.event.EndTimestamp - target_field: crowdstrike.event.EndTimestamp - timezone: UTC - formats: - - UNIX - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.EndTimestamp != null && - !(ctx.crowdstrike.event.EndTimestamp instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.EndTimestamp) + 1) < 12 - - date: - field: crowdstrike.event.UTCTimestamp - target_field: crowdstrike.event.UTCTimestamp - timezone: UTC - formats: - - UNIX - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.UTCTimestamp != null && - !(ctx.crowdstrike.event.UTCTimestamp instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.UTCTimestamp) + 1) < 12 - - date: - field: crowdstrike.metadata.eventCreationTime - target_field: crowdstrike.metadata.eventCreationTime - timezone: UTC - formats: - - UNIX - ignore_failure: true - if: | - ctx?.crowdstrike?.metadata?.eventCreationTime != null && - !(ctx.crowdstrike.metadata.eventCreationTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.metadata.eventCreationTime) + 1) < 12 - - set: - field: event.outcome - value: success - if: ctx?.crowdstrike?.event?.Success == true - - set: - field: event.outcome - value: failure - if: ctx?.crowdstrike?.event?.Success == false - - set: - field: event.outcome - value: unknown - if: ctx?.event?.outcome == null - - convert: - field: crowdstrike.metadata.eventCreationTime - target_field: "@timestamp" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.LateralMovement - type: long - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.LocalPort - type: long - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.MatchCount - type: long - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.MatchCountSinceLastReport - type: long - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.PID - type: long - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.RemotePort - type: long - ignore_missing: true - ignore_failure: true - - convert: - field: source.port - type: long - ignore_missing: true - ignore_failure: true - - convert: - field: destination.port - type: long - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.UserName - target_field: user.name - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.UserId - target_field: user.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.user?.name == null || ctx?.user?.name == "" - - set: - field: user.email - value: "{{user.name}}" - ignore_empty_value: true - ignore_failure: true - if: ctx?.user?.name != null && /@/.split(ctx.user.name).length == 2 - - script: - lang: painless - source: | - def commandLine = ctx?.crowdstrike?.event?.CommandLine; - if (commandLine != null) { - - commandLine = commandLine.trim(); - - if (commandLine != "") { - def args = Arrays.asList(/ /.split(commandLine)); - args.removeIf(arg -> arg == ""); - - ctx["process.command_line"] = commandLine; - ctx["process.args"] = args; - ctx["process.executable"] = args.get(0); - } - } - - pipeline: - name: '{{ IngestPipeline "detection_summary" }}' - if: ctx?.crowdstrike?.metadata?.eventType == "DetectionSummaryEvent" - - pipeline: - name: '{{ IngestPipeline "incident_summary" }}' - if: ctx?.crowdstrike?.metadata?.eventType == "IncidentSummaryEvent" - - pipeline: - name: '{{ IngestPipeline "user_activity_audit" }}' - if: ctx?.crowdstrike?.metadata?.eventType == "UserActivityAuditEvent" - - pipeline: - name: '{{ IngestPipeline "auth_activity_audit" }}' - if: ctx?.crowdstrike?.metadata?.eventType == "AuthActivityAuditEvent" - - pipeline: - name: '{{ IngestPipeline "firewall_match" }}' - if: ctx?.crowdstrike?.metadata?.eventType == "FirewallMatchEvent" - - pipeline: - name: '{{ IngestPipeline "remote_response_session_start" }}' - if: ctx?.crowdstrike?.metadata?.eventType == "RemoteResponseSessionStartEvent" - - pipeline: - name: '{{ IngestPipeline "remote_response_session_end" }}' - if: ctx?.crowdstrike?.metadata?.eventType == "RemoteResponseSessionEndEvent" - - script: - lang: painless - if: ctx?.crowdstrike?.event != null - params: - values: - - null - - '' - - '-' - - 'N/A' - - 'NA' - - 0 - source: | - ctx.crowdstrike.event.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); - - script: - lang: painless - if: ctx?.crowdstrike?.metadata != null - params: - values: - - null - - '' - - '-' - - 'N/A' - - 'NA' - source: | - ctx.crowdstrike.metadata.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); - - append: - field: related.user - value: "{{user.name}}" - allow_duplicates: false - ignore_failure: true - if: ctx?.user?.name != null && ctx?.user?.name != "" - - append: - field: related.ip - value: "{{source.ip}}" - ignore_failure: true - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - ignore_failure: true - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - - append: - field: related.hosts - value: "{{host.name}}" - ignore_failure: true - allow_duplicates: false - if: ctx?.host?.name != null && ctx?.host?.name != "" - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/crowdstrike/1.3.3/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml b/packages/crowdstrike/1.3.3/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml deleted file mode 100755 index 22bebe784e..0000000000 --- a/packages/crowdstrike/1.3.3/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml +++ /dev/null @@ -1,161 +0,0 @@ ---- -processors: - - set: - field: event.kind - value: alert - - append: - field: event.category - value: [malware] - - append: - field: event.type - value: [info] - - set: - field: agent.type - value: falcon - - convert: - field: crowdstrike.event.LocalIP - target_field: source.ip - type: string - ignore_failure: true - ignore_missing: true - if: ctx?.crowdstrike?.event?.LocalIP != null && ctx?.crowdstrike?.event?.LocalIP != "" - - convert: - field: crowdstrike.event.ProcessId - target_field: process.pid - ignore_failure: true - type: long - ignore_missing: true - - convert: - field: crowdstrike.event.ParentImageFileName - target_field: process.parent.executable - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.ParentCommandLine - target_field: process.parent.command_line - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.PatternDispositionDescription - target_field: event.action - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.FalconHostLink - target_field: event.url - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.Severity - target_field: event.severity - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.DetectDescription - target_field: message - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.FileName - target_field: process.name - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.UserName - target_field: user.name - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.MachineDomain - target_field: user.domain - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.SensorId - target_field: agent.id - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.ComputerName - target_field: host.name - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.SHA256String - target_field: file.hash.sha256 - type: string - ignore_failure: true - ignore_missing: true - - append: - field: related.hash - value: "{{file.hash.sha256}}" - allow_duplicates: false - ignore_failure: true - if: ctx?.file?.hash?.sha256 != null && ctx?.file?.hash?.sha256 != "" && !(/^0+$/.matcher(ctx.file.hash.sha256).matches()) - - convert: - field: crowdstrike.event.MD5String - target_field: file.hash.md5 - type: string - ignore_failure: true - ignore_missing: true - - append: - field: related.hash - value: "{{file.hash.md5}}" - allow_duplicates: false - ignore_failure: true - if: ctx?.file?.hash?.md5 != null && ctx?.file?.hash?.md5 != "" && !(/^0+$/.matcher(ctx.file.hash.md5).matches()) - - convert: - field: crowdstrike.event.SHA1String - target_field: file.hash.sha1 - type: string - ignore_failure: true - ignore_missing: true - - append: - field: related.hash - value: "{{file.hash.sha1}}" - allow_duplicates: false - ignore_failure: true - if: ctx?.file?.hash?.sha1 != null && ctx?.file?.hash?.sha1 != "" && !(/^0+$/.matcher(ctx.file.hash.sha1).matches()) - - convert: - field: crowdstrike.event.DetectName - target_field: rule.name - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.DetectDescription - target_field: rule.description - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.Technique - target_field: threat.technique.name - type: string - ignore_failure: true - ignore_missing: true - - lowercase: - field: threat.technique.name - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.Tactic - target_field: threat.tactic.name - type: string - ignore_failure: true - ignore_missing: true - - lowercase: - field: threat.tactic.name - ignore_missing: true - ignore_failure: true diff --git a/packages/crowdstrike/1.3.3/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml b/packages/crowdstrike/1.3.3/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml deleted file mode 100755 index 28dac8ccd0..0000000000 --- a/packages/crowdstrike/1.3.3/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml +++ /dev/null @@ -1,135 +0,0 @@ ---- -processors: - - set: - field: event.kind - value: event - - append: - field: event.category - value: [network] - - append: - field: event.action - value: [firewall_match_event] - - append: - field: event.type - value: [start, connection] - - set: - field: message - value: "Firewall Rule '{{crowdstrike.event.RuleName}}' triggered" - if: ctx?.crowdstrike?.event?.RuleName != null - ignore_failure: true - - convert: - field: "crowdstrike.event.Ipv" - target_field: "network.type" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: "crowdstrike.event.PID" - target_field: "process.pid" - ignore_failure: true - ignore_missing: true - type: "long" - - convert: - field: "crowdstrike.event.RuleId" - target_field: "rule.id" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: "crowdstrike.event.RuleName" - target_field: "rule.name" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: "crowdstrike.event.RuleGroupName" - target_field: "rule.ruleset" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: "crowdstrike.event.RuleDescription" - target_field: "rule.description" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: "crowdstrike.event.RuleFamilyID" - target_field: "rule.category" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: "crowdstrike.event.HostName" - target_field: "host.name" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: "crowdstrike.event.Ipv" - target_field: "network.type" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: "crowdstrike.event.EventType" - target_field: "event.code" - type: string - ignore_missing: true - ignore_failure: true - - set: - field: network.direction - value: ingress - if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" - - set: - field: source.ip - value: "{{crowdstrike.event.RemoteAddress}}" - ignore_empty_value: true - if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" - - convert: - field: crowdstrike.event.RemotePort - target_field: source.port - type: long - ignore_missing: true - ignore_failure: true - if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" - - set: - field: destination.ip - value: "{{crowdstrike.event.LocalAddress}}" - ignore_empty_value: true - if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" - - convert: - field: crowdstrike.event.LocalPort - target_field: destination.port - type: long - ignore_missing: true - ignore_failure: true - if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" - - set: - field: network.direction - value: ingress - if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" - - set: - field: destination.ip - value: "{{crowdstrike.event.RemoteAddress}}" - ignore_empty_value: true - if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" - - convert: - field: crowdstrike.event.RemotePort - target_field: destination.port - type: long - ignore_missing: true - ignore_failure: true - if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" - - set: - field: source.ip - value: "{{crowdstrike.event.LocalAddress}}" - ignore_empty_value: true - if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" - - convert: - field: crowdstrike.event.LocalPort - target_field: source.port - type: long - ignore_missing: true - ignore_failure: true - if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" diff --git a/packages/crowdstrike/1.3.3/data_stream/falcon/elasticsearch/ingest_pipeline/incident_summary.yml b/packages/crowdstrike/1.3.3/data_stream/falcon/elasticsearch/ingest_pipeline/incident_summary.yml deleted file mode 100755 index 667222dc79..0000000000 --- a/packages/crowdstrike/1.3.3/data_stream/falcon/elasticsearch/ingest_pipeline/incident_summary.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -processors: - - set: - field: event.kind - value: alert - - append: - field: event.category - value: [malware] - - append: - field: event.type - value: [info] - - set: - field: event.action - value: incident - - set: - field: agent.type - value: falcon - - convert: - field: crowdstrike.event.FalconHostLink - target_field: event.url - type: string - ignore_failure: true - ignore_missing: true - - set: - field: message - value: "Incident score {{crowdstrike.event.FineScore}}" - if: ctx?.crowdstrike?.event?.FineScore != null diff --git a/packages/crowdstrike/1.3.3/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_end.yml b/packages/crowdstrike/1.3.3/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_end.yml deleted file mode 100755 index 7415f62e1d..0000000000 --- a/packages/crowdstrike/1.3.3/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_end.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -processors: - - set: - field: event.kind - value: event - - append: - field: event.category - value: [network, session] - - append: - field: event.action - value: [remote_response_session_end_event] - - append: - field: event.type - value: [end] - - set: - field: message - value: Remote response session ended. - - convert: - field: crowdstrike.event.HostnameField - target_field: host.name - type: string - ignore_failure: true - ignore_missing: true diff --git a/packages/crowdstrike/1.3.3/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_start.yml b/packages/crowdstrike/1.3.3/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_start.yml deleted file mode 100755 index d965bd8ac7..0000000000 --- a/packages/crowdstrike/1.3.3/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_start.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -processors: - - set: - field: event.kind - value: event - - append: - field: event.category - value: [network, session] - - append: - field: event.action - value: [remote_response_session_start_event] - - append: - field: event.type - value: [start] - - set: - field: message - value: Remote response session started. - - convert: - field: crowdstrike.event.HostnameField - target_field: host.name - type: string - ignore_failure: true - ignore_missing: true diff --git a/packages/crowdstrike/1.3.3/data_stream/falcon/elasticsearch/ingest_pipeline/user_activity_audit.yml b/packages/crowdstrike/1.3.3/data_stream/falcon/elasticsearch/ingest_pipeline/user_activity_audit.yml deleted file mode 100755 index 7d03e0115b..0000000000 --- a/packages/crowdstrike/1.3.3/data_stream/falcon/elasticsearch/ingest_pipeline/user_activity_audit.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -processors: - - set: - field: event.kind - value: event - - append: - field: event.category - value: [iam] - - append: - field: event.type - value: [change] - - set: - field: event.action - value: user_activity_audit_event - - convert: - field: crowdstrike.event.OperationName - target_field: message - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.UserIp - target_field: source.ip - type: string - ignore_failure: true - ignore_missing: true - if: ctx?.crowdstrike?.event?.UserIp != null && ctx?.crowdstrike?.event?.UserIp != "" diff --git a/packages/crowdstrike/1.3.3/data_stream/falcon/fields/agent.yml b/packages/crowdstrike/1.3.3/data_stream/falcon/fields/agent.yml deleted file mode 100755 index 5c9e2055ad..0000000000 --- a/packages/crowdstrike/1.3.3/data_stream/falcon/fields/agent.yml +++ /dev/null @@ -1,190 +0,0 @@ -- description: Fields related to the cloud or infrastructure the events are coming from. - fields: - - description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - example: 666777888999 - ignore_above: 1024 - level: extended - name: account.id - type: keyword - - description: Availability zone in which this host is running. - example: us-east-1c - ignore_above: 1024 - level: extended - name: availability_zone - type: keyword - - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - ignore_above: 1024 - level: extended - name: instance.id - type: keyword - - description: Instance name of the host machine. - ignore_above: 1024 - level: extended - name: instance.name - type: keyword - - description: Machine type of the host machine. - example: t2.medium - ignore_above: 1024 - level: extended - name: machine.type - type: keyword - - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - ignore_above: 1024 - level: extended - name: provider - type: keyword - - description: Region in which this host is running. - example: us-east-1 - ignore_above: 1024 - level: extended - name: region - type: keyword - - description: Name of the project in Google Cloud. - name: project.id - type: keyword - - description: Image ID for the cloud instance. - name: image.id - type: keyword - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - group: 2 - name: cloud - title: Cloud - type: group -- description: |- - Container fields are used for meta information about the specific container that is the source of information. - These fields help correlate data based containers from any runtime. - fields: - - description: Unique container id. - name: id - type: keyword - - description: Name of the image the container was built on. - ignore_above: 1024 - level: extended - name: image.name - type: keyword - - description: Image labels. - level: extended - name: labels - object_type: keyword - type: object - - description: Container name. - ignore_above: 1024 - level: extended - name: name - type: keyword - group: 2 - name: container - title: Container - type: group -- description: |- - A host is defined as a general computing instance. - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. - fields: - - description: Operating system architecture. - example: x86_64 - ignore_above: 1024 - level: core - name: architecture - type: keyword - - default_field: false - description: |- - Name of the domain of which the host is a member. - For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. - example: CONTOSO - ignore_above: 1024 - level: extended - name: domain - type: keyword - - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 - level: core - name: hostname - type: keyword - - description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - ignore_above: 1024 - level: core - name: id - type: keyword - - description: Host ip addresses. - level: core - name: ip - type: ip - - description: Host mac addresses. - ignore_above: 1024 - level: core - name: mac - type: keyword - - description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: name - type: keyword - - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - ignore_above: 1024 - level: extended - name: os.family - type: keyword - - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - ignore_above: 1024 - level: extended - name: os.kernel - type: keyword - - description: Operating system name, without the version. - example: Mac OS X - ignore_above: 1024 - level: extended - multi_fields: - - default_field: false - name: text - norms: false - type: text - name: os.name - type: keyword - - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - ignore_above: 1024 - level: extended - name: os.platform - type: keyword - - description: Operating system version as a raw string. - example: 10.14.1 - ignore_above: 1024 - level: extended - name: os.version - type: keyword - - description: |- - Type of host. - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. - ignore_above: 1024 - level: core - name: type - type: keyword - - description: | - If the host is a container. - name: containerized - type: boolean - - description: | - OS build information. - example: 18D109 - name: os.build - type: keyword - - description: | - OS codename, if any. - example: stretch - name: os.codename - type: keyword - group: 2 - name: host - title: Host - type: group diff --git a/packages/crowdstrike/1.3.3/data_stream/falcon/fields/base-fields.yml b/packages/crowdstrike/1.3.3/data_stream/falcon/fields/base-fields.yml deleted file mode 100755 index 8248c071b3..0000000000 --- a/packages/crowdstrike/1.3.3/data_stream/falcon/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: crowdstrike -- name: event.dataset - type: constant_keyword - description: Event dataset - value: crowdstrike.falcon -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/crowdstrike/1.3.3/data_stream/falcon/fields/beats.yml b/packages/crowdstrike/1.3.3/data_stream/falcon/fields/beats.yml deleted file mode 100755 index 986a819b29..0000000000 --- a/packages/crowdstrike/1.3.3/data_stream/falcon/fields/beats.yml +++ /dev/null @@ -1,14 +0,0 @@ -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword diff --git a/packages/crowdstrike/1.3.3/data_stream/falcon/fields/ecs.yml b/packages/crowdstrike/1.3.3/data_stream/falcon/fields/ecs.yml deleted file mode 100755 index 5a7c547c56..0000000000 --- a/packages/crowdstrike/1.3.3/data_stream/falcon/fields/ecs.yml +++ /dev/null @@ -1,229 +0,0 @@ -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - URL linking to an external system to continue investigation of this event. - This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - name: event.url - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - multi_fields: - - name: text - type: match_only_text - name: threat.technique.name - type: keyword -- description: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) - name: threat.tactic.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Array of process arguments, starting with the absolute path to the executable. - May be filtered to protect sensitive information. - name: process.args - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.parent.executable - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.parent.command_line - type: wildcard -- description: |- - Custom name of the agent. - This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. - If no name is given, the name is often left empty. - name: agent.name - type: keyword -- description: |- - Unique identifier of this agent (if one exists). - Example: For Beats this would be beat.id. - name: agent.id - type: keyword -- description: |- - Type of the agent. - The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. - name: agent.type - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: The description of the rule generating the event. - name: rule.description - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. - name: rule.ruleset - type: keyword -- description: A categorization value keyword used by the entity using the rule for detection of this event. - name: rule.category - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword diff --git a/packages/crowdstrike/1.3.3/data_stream/falcon/fields/fields.yml b/packages/crowdstrike/1.3.3/data_stream/falcon/fields/fields.yml deleted file mode 100755 index f8b93a2aaf..0000000000 --- a/packages/crowdstrike/1.3.3/data_stream/falcon/fields/fields.yml +++ /dev/null @@ -1,399 +0,0 @@ -- name: crowdstrike.metadata - title: Metadata fields - type: group - fields: - - name: eventType - type: keyword - description: | - DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent - - name: eventCreationTime - type: date - description: | - The time this event occurred on the endpoint in UTC UNIX_MS format. - - name: offset - type: integer - description: | - Offset number that tracks the location of the event in stream. This is used to identify unique detection events. - - name: customerIDString - type: keyword - description: | - Customer identifier - - name: version - type: keyword - description: | - Schema version -- name: crowdstrike.event - title: Event fields - type: group - fields: - - name: ProcessStartTime - type: date - description: | - The process start time in UTC UNIX_MS format. - - name: ProcessEndTime - type: date - description: | - The process termination time in UTC UNIX_MS format. - - name: ProcessId - type: integer - description: | - Process ID related to the detection. - - name: ParentProcessId - type: integer - description: | - Parent process ID related to the detection. - - name: ComputerName - type: keyword - description: | - Name of the computer where the detection occurred. - - name: UserName - type: keyword - description: | - User name associated with the detection. - - name: DetectName - type: keyword - description: | - Name of the detection. - - name: DetectDescription - type: keyword - description: | - Description of the detection. - - name: Severity - type: integer - description: | - Severity score of the detection. - - name: SeverityName - type: keyword - description: | - Severity score text. - - name: FileName - type: keyword - description: | - File name of the associated process for the detection. - - name: FilePath - type: keyword - description: | - Path of the executable associated with the detection. - - name: CommandLine - type: keyword - description: | - Executable path with command line arguments. - - name: SHA1String - type: keyword - description: | - SHA1 sum of the executable associated with the detection. - - name: SHA256String - type: keyword - description: | - SHA256 sum of the executable associated with the detection. - - name: MD5String - type: keyword - description: | - MD5 sum of the executable associated with the detection. - - name: MachineDomain - type: keyword - description: | - Domain for the machine associated with the detection. - - name: FalconHostLink - type: keyword - description: | - URL to view the detection in Falcon. - - name: SensorId - type: keyword - description: | - Unique ID associated with the Falcon sensor. - - name: DetectId - type: keyword - description: | - Unique ID associated with the detection. - - name: LocalIP - type: keyword - description: | - IP address of the host associated with the detection. - - name: MACAddress - type: keyword - description: | - MAC address of the host associated with the detection. - - name: Tactic - type: keyword - description: | - MITRE tactic category of the detection. - - name: Technique - type: keyword - description: | - MITRE technique category of the detection. - - name: Objective - type: keyword - description: | - Method of detection. - - name: PatternDispositionDescription - type: keyword - description: | - Action taken by Falcon. - - name: PatternDispositionValue - type: integer - description: | - Unique ID associated with action taken. - - name: PatternDispositionFlags - type: group - description: | - Flags indicating actions taken. - fields: - - name: Detect - type: boolean - - name: InddetMask - type: boolean - - name: Indicator - type: boolean - - name: KillParent - type: boolean - - name: KillProcess - type: boolean - - name: KillSubProcess - type: boolean - - name: OperationBlocked - type: boolean - - name: PolicyDisabled - type: boolean - - name: ProcessBlocked - type: boolean - - name: QuarantineFile - type: boolean - - name: QuarantineMachine - type: boolean - - name: Rooting - type: boolean - - name: SensorOnly - type: boolean - - name: BootupSafeguardEnabled - type: boolean - - name: CriticalProcessDisabled - type: boolean - - name: FsOperationBlocked - type: boolean - - name: RegistryOperationBlocked - type: boolean - - name: State - type: keyword - description: | - Whether the incident summary is open and ongoing or closed. - - name: IncidentStartTime - type: date - description: | - Start time for the incident in UTC UNIX format. - - name: IncidentEndTime - type: date - description: | - End time for the incident in UTC UNIX format. - - name: FineScore - type: float - description: | - Score for incident. - - name: UserId - type: keyword - description: | - Email address or user ID associated with the event. - - name: UserIp - type: keyword - description: | - IP address associated with the user. - - name: OperationName - type: keyword - description: | - Event subtype. - - name: ServiceName - type: keyword - description: | - Service associated with this event. - - name: Success - type: boolean - description: | - Indicator of whether or not this event was successful. - - name: UTCTimestamp - type: date - description: | - Timestamp associated with this event in UTC UNIX format. - - name: AuditKeyValues - type: nested - description: | - Fields that were changed in this event. - - name: ExecutablesWritten - type: nested - description: | - Detected executables written to disk by a process. - - name: SessionId - type: keyword - description: | - Session ID of the remote response session. - - name: HostnameField - type: keyword - description: | - Host name of the machine for the remote session. - - name: StartTimestamp - type: date - description: | - Start time for the remote session in UTC UNIX format. - - name: EndTimestamp - type: date - description: | - End time for the remote session in UTC UNIX format. - - name: LateralMovement - type: long - description: | - Lateral movement field for incident. - - name: ParentImageFileName - type: keyword - description: | - Path to the parent process. - - name: ParentCommandLine - type: keyword - description: | - Parent process command line arguments. - - name: GrandparentImageFileName - type: keyword - description: | - Path to the grandparent process. - - name: GrandparentCommandLine - type: keyword - description: | - Grandparent process command line arguments. - - name: IOCType - type: keyword - description: | - CrowdStrike type for indicator of compromise. - - name: IOCValue - type: keyword - description: | - CrowdStrike value for indicator of compromise. - - name: CustomerId - type: keyword - description: | - Customer identifier. - - name: DeviceId - type: keyword - description: | - Device on which the event occurred. - - name: Ipv - type: keyword - description: | - Protocol for network request. - - name: ConnectionDirection - type: keyword - description: | - Direction for network connection. - - name: EventType - type: keyword - description: | - CrowdStrike provided event type. - - name: HostName - type: keyword - description: | - Host name of the local machine. - - name: ICMPCode - type: keyword - description: | - RFC2780 ICMP Code field. - - name: ICMPType - type: keyword - description: | - RFC2780 ICMP Type field. - - name: ImageFileName - type: keyword - description: | - File name of the associated process for the detection. - - name: PID - type: long - description: | - Associated process id for the detection. - - name: LocalAddress - type: ip - description: | - IP address of local machine. - - name: LocalPort - type: long - description: | - Port of local machine. - - name: RemoteAddress - type: ip - description: | - IP address of remote machine. - - name: RemotePort - type: long - description: | - Port of remote machine. - - name: RuleAction - type: keyword - description: | - Firewall rule action. - - name: RuleDescription - type: keyword - description: | - Firewall rule description. - - name: RuleFamilyID - type: keyword - description: | - Firewall rule family id. - - name: RuleGroupName - type: keyword - description: | - Firewall rule group name. - - name: RuleName - type: keyword - description: | - Firewall rule name. - - name: RuleId - type: keyword - description: | - Firewall rule id. - - name: MatchCount - type: long - description: | - Number of firewall rule matches. - - name: MatchCountSinceLastReport - type: long - description: | - Number of firewall rule matches since the last report. - - name: Timestamp - type: date - description: | - Firewall rule triggered timestamp. - - name: Flags.Audit - type: boolean - description: | - CrowdStrike audit flag. - - name: Flags.Log - type: boolean - description: | - CrowdStrike log flag. - - name: Flags.Monitor - type: boolean - description: | - CrowdStrike monitor flag. - - name: Protocol - type: keyword - description: | - CrowdStrike provided protocol. - - name: NetworkProfile - type: keyword - description: | - CrowdStrike network profile. - - name: PolicyName - type: keyword - description: | - CrowdStrike policy name. - - name: PolicyID - type: keyword - description: | - CrowdStrike policy id. - - name: Status - type: keyword - description: | - CrowdStrike status. - - name: TreeID - type: keyword - description: | - CrowdStrike tree id. - - name: Commands - type: keyword - description: | - Commands run in a remote session. diff --git a/packages/crowdstrike/1.3.3/data_stream/falcon/manifest.yml b/packages/crowdstrike/1.3.3/data_stream/falcon/manifest.yml deleted file mode 100755 index 29fc804f02..0000000000 --- a/packages/crowdstrike/1.3.3/data_stream/falcon/manifest.yml +++ /dev/null @@ -1,42 +0,0 @@ -type: logs -title: Crowdstrike falcon logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/crowdstrike/falconhoseclient/output - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - crowdstrike-falcon - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Crowdstrike falcon logs (log) - description: Collect Crowdstrike falcon logs using log input diff --git a/packages/crowdstrike/1.3.3/data_stream/falcon/sample_event.json b/packages/crowdstrike/1.3.3/data_stream/falcon/sample_event.json deleted file mode 100755 index b2a82f11fc..0000000000 --- a/packages/crowdstrike/1.3.3/data_stream/falcon/sample_event.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "@timestamp": "2020-02-12T21:29:10.710Z", - "agent": { - "ephemeral_id": "cc9fb403-5b26-4fe7-aefc-41666b9f4575", - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "crowdstrike": { - "event": { - "AuditKeyValues": [ - { - "Key": "APIClientID", - "ValueString": "1234567890abcdefghijklmnopqr" - }, - { - "Key": "partition", - "ValueString": "0" - }, - { - "Key": "offset", - "ValueString": "-1" - }, - { - "Key": "appId", - "ValueString": "siem-connector-v2.0.0" - }, - { - "Key": "eventType", - "ValueString": "[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]" - } - ], - "OperationName": "streamStarted", - "ServiceName": "Crowdstrike Streaming API", - "Success": true, - "UTCTimestamp": "2020-02-12T21:29:10.000Z", - "UserId": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", - "UserIp": "10.10.0.8" - }, - "metadata": { - "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "eventCreationTime": "2020-02-12T21:29:10.710Z", - "eventType": "AuthActivityAuditEvent", - "offset": 0, - "version": "1.0" - } - }, - "data_stream": { - "dataset": "crowdstrike.falcon", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "authentication" - ], - "dataset": "crowdstrike.falcon", - "ingested": "2022-05-09T16:35:19Z", - "kind": "event", - "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 0,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581542950710,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"api-client-id:1234567890abcdefghijklmnopqrstuvwxyz\",\n \"UserIp\": \"10.10.0.8\",\n \"OperationName\": \"streamStarted\",\n \"ServiceName\": \"Crowdstrike Streaming API\",\n \"Success\": true,\n \"UTCTimestamp\": 1581542950,\n \"AuditKeyValues\": [\n {\n \"Key\": \"APIClientID\",\n \"ValueString\": \"1234567890abcdefghijklmnopqr\"\n },\n {\n \"Key\": \"partition\",\n \"ValueString\": \"0\"\n },\n {\n \"Key\": \"offset\",\n \"ValueString\": \"-1\"\n },\n {\n \"Key\": \"appId\",\n \"ValueString\": \"siem-connector-v2.0.0\"\n },\n {\n \"Key\": \"eventType\",\n \"ValueString\": \"[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]\"\n }\n ]\n }\n}", - "outcome": "success", - "type": [ - "change" - ] - }, - "event.action": "stream_started", - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/falcon-audit-events.log" - }, - "flags": [ - "multiline" - ], - "offset": 910 - }, - "message": "Crowdstrike Streaming API", - "related": { - "ip": [ - "10.10.0.8" - ], - "user": [ - "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" - ] - }, - "source": { - "ip": "10.10.0.8" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "crowdstrike-falcon" - ], - "user": { - "name": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" - } -} \ No newline at end of file diff --git a/packages/crowdstrike/1.3.3/data_stream/fdr/agent/stream/aws-s3.yml.hbs b/packages/crowdstrike/1.3.3/data_stream/fdr/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index bd89d34816..0000000000 --- a/packages/crowdstrike/1.3.3/data_stream/fdr/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,57 +0,0 @@ -queue_url: {{queue_url}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if proxy_url }} -proxy_url: {{proxy_url}} -{{/if}} -{{#if is_fdr_queue}} -sqs.notification_parsing_script.source: {{fdr_parsing_script}} -{{/if}} -{{#if tags.length}} -tags: -{{else}} -{{#if preserve_original_event}} -tags: -{{/if}} -{{/if}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/crowdstrike/1.3.3/data_stream/fdr/agent/stream/stream.yml.hbs b/packages/crowdstrike/1.3.3/data_stream/fdr/agent/stream/stream.yml.hbs deleted file mode 100755 index 51174aef53..0000000000 --- a/packages/crowdstrike/1.3.3/data_stream/fdr/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,26 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -{{#if tags.length}} -tags: -{{else}} -{{#if preserve_original_event}} -tags: -{{/if}} -{{/if}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: - - add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/crowdstrike/1.3.3/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/1.3.3/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 9d13169d05..0000000000 --- a/packages/crowdstrike/1.3.3/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,2258 +0,0 @@ ---- -description: Pipeline for processing sample logs -processors: - ## Message decoding. - - rename: - tag: message-to-original - field: message - target_field: event.original - - json: - tag: json-decoding - description: Decodes original JSON into `crowdstrike` field. - field: event.original - target_field: crowdstrike - - date: - tag: date-timestamp - description: Parse timestamp from event. - field: crowdstrike.timestamp - target_field: event.created - formats: - - UNIX_MS - ignore_failure: true - - date: - tag: date-event-created - description: Parse timestamp from event. - field: crowdstrike.CreationTimeStamp - target_field: event.created - formats: - - UNIX - ignore_failure: true - if: ctx.event?.created == null - - set: - tag: set-timestamp - field: "@timestamp" - copy_from: event.created - if: ctx.event?.created != null && (ctx.crowdstrike?.ContextTimeStamp == null || ctx.crowdstrike?.ContextTimeStamp == "") - - date: - tag: date-context-timestamp - if: ctx.crowdstrike?.ContextTimeStamp != null - field: crowdstrike.ContextTimeStamp - formats: - - UNIX - ignore_failure: true - - rename: - tag: rename-message - field: crowdstrike.message - target_field: message - ignore_missing: true - - ## ECS fields. - - set: - field: ecs.version - value: "8.2.0" - - ## Categorization. - - script: - tag: script-categorize-events - description: Categorize events. - lang: painless - params: - AcUninstallConfirmation: - category: [ package ] - type: [ deletion ] - kind: state - outcome: success - AcUnloadConfirmation: - category: [ package ] - type: [ deletion ] - kind: state - outcome: success - AgentConnect: - category: [ network, session ] - type: [ connection, info ] - kind: event - outcome: success - AgentOnline: - category: [ configuration, package, host ] - type: [ change, installation, start ] - kind: state - outcome: success - AmsiRegistrationStatus: - category: [ host ] - type: [ info ] - kind: state - outcome: success - AsepFileChange: - category: [ file ] - type: [ creation, change ] - kind: event - outcome: success - AsepKeyUpdate: - category: [ registry ] - type: [ change ] - kind: event - outcome: success - AsepValueUpdate: - category: [ registry ] - type: [ change ] - kind: event - outcome: success - AssociateIndicator: - category: [ malware ] - type: [ info ] - kind: alert - outcome: unknown - AssociateTreeIdWithRoot: - category: [ malware ] - type: [ info ] - kind: alert - outcome: success - BITSJobCreated: - category: [ network, file ] - type: [ connection, creation ] - kind: event - outcome: success - BZip2FileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - BehaviorWhitelisted: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - BrowserInjectedThread: - category: [ process ] - type: [ access, change ] - kind: event - outcome: success - CloudAssociateTreeIdWithRoot: - category: [ malware ] - type: [ deletion ] - kind: alert - outcome: success - CommandHistory: - category: [ process ] - type: [ end, info ] - kind: event - outcome: success - ConfigStateUpdate: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - CrashNotification: - category: [ host ] - type: [ info ] - kind: event - outcome: failure - CreateProcessArgs: - category: [ process ] - type: [ start ] - kind: state - outcome: success - CreateService: - category: [ host ] - type: [ change ] - kind: event - outcome: success - CreateThreadNoStartImage: - category: [ process ] - type: [ start ] - kind: event - outcome: success - CreateThreadReflectiveDll: - category: [ process ] - type: [ change ] - kind: event - outcome: success - CriticalEnvironmentVariableChanged: - category: [ configuration, host ] - type: [ change ] - kind: event - outcome: success - CriticalFileAccessed: - category: [ file ] - type: [ access ] - kind: alert - outcome: success - CriticalFileModified: - category: [ file ] - type: [ change ] - kind: alert - outcome: success - CurrentSystemTags: - category: [ host ] - type: [ info ] - kind: state - outcome: success - CustomIOABasicProcessDetectionInfoEvent: - category: [ malware ] - type: [ info ] - kind: alert - outcome: unknown - DCSyncAttempted: - category: [ configuration, iam ] - type: [ access ] - kind: event - outcome: unknown - DcOffline: - category: [ iam ] - type: [ info ] - kind: event - outcome: success - DcOnline: - category: [ iam ] - type: [ info ] - kind: event - outcome: success - DcStatus: - category: [ iam ] - type: [ info ] - kind: state - outcome: success - DetectAnalysis: - category: [ malware ] - type: [ info ] - kind: alert - outcome: success - DetectionExcluded: - category: [ configuration, malware ] - type: [ change, info ] - kind: alert - outcome: success - DirectoryCreate: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - DllInjection: - category: [ process ] - type: [ change ] - kind: event - outcome: success - DmpFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - DnsRequest: - category: [ network ] - type: [ protocol ] - kind: event - outcome: success - DocumentProgramInjectedThread: - category: [ process ] - type: [ access, change ] - kind: event - outcome: success - DriverLoad: - category: [ driver ] - type: [ start ] - kind: event - outcome: success - DwgFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - EarlyExploitPivotDetect: - category: [ malware ] - type: [ info ] - kind: event - outcome: unknown - EndOfProcess: - category: [ process ] - type: [ end ] - kind: event - outcome: success - ErrorEvent: - category: [ package ] - type: [ info ] - kind: alert - outcome: failure - EtwErrorEvent: - category: [ package, host ] - type: [ info ] - kind: event - outcome: failure - ExecutableDeleted: - category: [ file ] - type: [ deletion ] - kind: event - outcome: success - FalconHostRegTamperingInfo: - category: [ registry ] - type: [ change ] - kind: alert - outcome: unknown - FalconServiceStatus: - category: [ package ] - type: [ info ] - kind: state - outcome: unknown - FileCreateInfo: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - FileDeleteInfo: - category: [ file ] - type: [ deletion ] - kind: event - outcome: success - FileDetectInfo: - category: [ file ] - type: [ info ] - kind: alert - outcome: unknown - FileInfo: - category: [ file ] - type: [ info ] - kind: event - outcome: unknown - FileOpenInfo: - category: [ file ] - type: [ access ] - kind: event - outcome: success - FileRenameInfo: - category: [ file ] - type: [ change ] - kind: event - outcome: success - FileSystemOperationBlocked: - category: [ file ] - type: [ change, deletion ] - kind: event - outcome: failure - FileSystemOperationDetectInfo: - category: [ file ] - type: [ change, deletion ] - kind: alert - outcome: unknown - FileTimestampsModified: - category: [ file ] - type: [ change ] - kind: event - outcome: success - FirewallChangeOption: - category: [ configuration, host ] - type: [ change ] - kind: event - outcome: success - FirewallDeleteRule: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - FirewallDeleteRuleIP4: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - FirewallDeleteRuleIP6: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - FirewallDisabled: - category: [ configuration, host ] - type: [ change ] - kind: event - outcome: success - FirewallEnabled: - category: [ configuration, host ] - type: [ change ] - kind: event - outcome: success - FirewallSetRule: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - FirewallSetRuleIP4: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - FirewallSetRuleIP6: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - FirmwareAnalysisErrorEvent: - category: [ host ] - type: [ info ] - kind: state - outcome: failure - FirmwareAnalysisHardwareData: - category: [ host ] - type: [ info ] - kind: state - outcome: success - FirmwareAnalysisStatus: - category: [ host ] - type: [ info ] - kind: state - outcome: success - FlashThreadCreateProcess: - category: [ process ] - type: [ start ] - kind: event - outcome: success - FsPostOpenSnapshotFile: - category: [ file ] - type: [ access ] - kind: event - outcome: success - FsVolumeMounted: - category: [ host ] - type: [ change ] - kind: event - outcome: success - FsVolumeUnmounted: - category: [ host ] - type: [ change ] - kind: event - outcome: success - HostInfo: - category: [ host ] - type: [ info ] - kind: event - outcome: success - HostedServiceStarted: - category: [ package ] - type: [ start ] - kind: event - outcome: success - HostedServiceStopped: - category: [ package ] - type: [ end ] - kind: event - outcome: success - HostnameChanged: - category: [ host ] - type: [ change ] - kind: event - outcome: success - HttpRequestDetect: - category: [ network, session ] - type: [ connection, start ] - kind: event - outcome: success - HttpVisibilityStatus: - category: [ session ] - type: [ info ] - kind: state - outcome: unknown - IOServiceRegister: - category: [ package ] - type: [ change ] - kind: event - outcome: success - ImageHash: - category: [ process ] - type: [ change ] - kind: event - outcome: success - InjectedThread: - category: [ process ] - type: [ change ] - kind: event - outcome: success - InjectedThreadFromUnsignedModule: - category: [ process ] - type: [ change ] - kind: alert - outcome: success - InstallBundleDownloadComplete: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - InstallServiceDownloadComplete: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - InstalledApplication: - category: [ package ] - type: [ installation ] - kind: event - outcome: success - InstalledUpdates: - category: [ host, package ] - type: [ change, installation ] - kind: event - outcome: success - InstanceMetadata: - category: [ host ] - type: [ info ] - kind: state - outcome: unknown - IoSessionConnected: - category: [ session ] - type: [ start ] - kind: event - outcome: success - IoSessionLoggedOn: - category: [ session ] - type: [ end ] - kind: event - outcome: success - JarFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - JavaClassFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - JavaInjectedThread: - category: [ process ] - type: [ change ] - kind: event - outcome: success - KernelModeLoadImage: - category: [ driver ] - type: [ start ] - kind: event - outcome: success - KextLoad: - category: [ driver ] - type: [ start ] - kind: event - outcome: success - KextUnload: - category: [ driver ] - type: [ end ] - kind: event - outcome: success - LFODownloadConfirmation: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - LfoUploadDataComplete: - category: [ file ] - type: [ change ] - kind: event - outcome: success - LfoUploadDataFailed: - category: [ file ] - type: [ change ] - kind: event - outcome: failure - LfoUploadDataUnneeded: - category: [ file ] - type: [ change ] - kind: event - outcome: failure - LocalIpAddressIP4: - category: [ configuration, host ] - type: [ change ] - kind: state - outcome: success - LocalIpAddressIP6: - category: [ configuration, host ] - type: [ change ] - kind: state - outcome: success - LocalIpAddressRemovedIP4: - category: [ configuration, host ] - type: [ change ] - kind: state - outcome: success - LocalIpAddressRemovedIP6: - category: [ configuration, host ] - type: [ change ] - kind: state - outcome: success - LsassHandleFromUnsignedModule: - category: [ process ] - type: [ change ] - kind: alert - outcome: unknown - MachOFileWritten: - category: [ file ] - type: [ change ] - kind: event - outcome: success - ManifestDownloadComplete: - category: [ configuration, file ] - type: [ change, creation ] - kind: event - outcome: success - ModifyServiceBinary: - category: [ file ] - type: [ change ] - kind: alert - outcome: unknown - ModuleBlockedEvent: - category: [ process, malware ] - type: [ info, denied ] - kind: alert - outcome: success - ModuleBlockedEventWithPatternId: - category: [ process, malware ] - type: [ info ] - kind: event - outcome: unknown - ModuleDetectInfo: - category: [ process, malware ] - type: [ info ] - kind: event - outcome: unknown - NeighborListIP4: - category: [ host, network ] - type: [ info ] - kind: state - outcome: unknown - NeighborListIP6: - category: [ host, network ] - type: [ info ] - kind: state - outcome: unknown - NetShareAdd: - category: [ host ] - type: [ change ] - kind: event - outcome: success - NetShareDelete: - category: [ host ] - type: [ change ] - kind: event - outcome: success - NetShareSecurityModify: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - NetworkCloseIP4: - category: [ network ] - type: [ end, connection ] - kind: event - outcome: unknown - NetworkCloseIP6: - category: [ network ] - type: [ end, connection ] - kind: event - outcome: unknown - NetworkConnectIP4: - category: [ network ] - type: [ start, connection ] - kind: event - outcome: unknown - NetworkConnectIP6: - category: [ network ] - type: [ start, connection ] - kind: event - outcome: unknown - NetworkListenIP4: - category: [ network ] - type: [ start ] - kind: event - outcome: success - NetworkListenIP6: - category: [ network ] - type: [ start ] - kind: event - outcome: success - NetworkReceiveAcceptIP4: - category: [ network ] - type: [ allowed, access, connection ] - kind: event - outcome: unknown - NetworkReceiveAcceptIP6: - category: [ network ] - type: [ allowed, access, connection ] - kind: event - outcome: unknown - NewExecutableRenamed: - category: [ file ] - type: [ change ] - kind: event - outcome: success - NewExecutableWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - NewScriptWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - OciContainerTelemetry: - category: [ host ] - type: [ info ] - kind: state - outcome: unknown - OleFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - OoxmlFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - OsVersionInfo: - category: [ host ] - type: [ info ] - kind: event - outcome: success - PackedExecutableWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - PdfFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - PeFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - PeVersionInfo: - category: [ file ] - type: [ info ] - kind: event - outcome: success - PrivilegedProcessHandleFromUnsignedModule: - category: [ process ] - type: [ access ] - kind: alert - outcome: success - ProcessBlocked: - category: [ process ] - type: [ access ] - kind: alert - outcome: failure - ProcessExecOnPackedExecutable: - category: [ process, file ] - type: [ access ] - kind: alert - outcome: success - ProcessExecOnSMBFile: - category: [ process, file, network ] - type: [ access ] - kind: alert - outcome: success - ProcessHandleOpDetectInfo: - category: [ process, malware ] - type: [ info ] - kind: alert - outcome: success - ProcessInjection: - category: [ process ] - type: [ change ] - kind: event - outcome: success - ProcessRollup2: - category: [ process ] - type: [ start ] - kind: event - outcome: success - ProcessRollup2Stats: - category: [ process ] - type: [ info ] - kind: state - outcome: unknown - ProcessSelfDeleted: - category: [ process ] - type: [ end ] - kind: event - outcome: success - PromiscuousBindIP4: - category: [ host ] - type: [ change ] - kind: state - outcome: success - PtyCreated: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - QuarantineActionResult: - category: [ file ] - type: [ info ] - kind: alert - outcome: unknown - QuarantinedFile: - category: [ file ] - type: [ change ] - kind: alert - outcome: unknown - QuarantinedFileState: - category: [ file ] - type: [ info ] - kind: alert - outcome: unknown - QueueApcEtw: - category: [ file ] - type: [ creation ] - kind: alert - outcome: success - RansomwareCreateFile: - category: [ file ] - type: [ creation ] - kind: alert - outcome: success - RansomwareFileAccessPattern: - category: [ file ] - type: [ access ] - kind: alert - outcome: success - RansomwareOpenFile: - category: [ file ] - type: [ access ] - kind: alert - outcome: success - RarFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - RawBindIP4: - category: [ network ] - type: [ start, connection ] - kind: event - outcome: success - RawBindIP6: - category: [ network ] - type: [ start, connection ] - kind: event - outcome: success - ReflectiveDllOpenProcess: - category: [ process ] - type: [ access ] - kind: alert - outcome: success - RegGenericValueUpdate: - category: [ registry ] - type: [ change ] - kind: event - outcome: success - RegSystemConfigValueUpdate: - category: [ registry, host, configuration ] - type: [ change ] - kind: event - outcome: success - RegisterRawInputDevicesEtw: - category: [ host, configuration ] - type: [ change ] - kind: event - outcome: success - RegistryOperationDetectInfo: - category: [ malware, registry ] - type: [ info ] - kind: alert - outcome: success - RemoteBruteForceDetectInfo: - category: [ malware, authentication ] - type: [ info ] - kind: alert - outcome: success - RemovableDiskModuleLoadAttempt: - category: [ configuration, host ] - type: [ change ] - kind: event - outcome: success - RemovableMediaVolumeMounted: - category: [ configuration, host ] - type: [ change ] - kind: event - outcome: success - RtfFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - SAMHashDumpFromUnsignedModule: - category: [ registry, file ] - type: [ access, creation ] - kind: alert - outcome: success - ScheduledTaskDeleted: - category: [ configuration ] - type: [ deletion ] - kind: event - outcome: success - ScheduledTaskModified: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - ScheduledTaskRegistered: - category: [ configuration ] - type: [ creation ] - kind: event - outcome: success - ScreenshotTakenEtw: - category: [ process ] - type: [ access ] - kind: event - outcome: success - ScriptControlBlocked: - category: [ malware, file ] - type: [ info ] - kind: alert - outcome: success - ScriptControlDetectInfo: - category: [ malware, file ] - type: [ info ] - kind: alert - outcome: success - ScriptControlErrorEvent: - category: [ malware, file ] - type: [ info ] - kind: alert - outcome: failure - ScriptControlScanInfo: - category: [ malware, file ] - type: [ info ] - kind: state - outcome: success - ScriptControlScanTelemetry: - category: [ malware, file ] - type: [ info ] - kind: state - outcome: success - SensitiveWmiQuery: - category: [ malware, process ] - type: [ info ] - kind: alert - outcome: success - SensorHeartbeat: - category: [ package ] - type: [ info ] - kind: event - outcome: success - ServiceStarted: - category: [ process ] - type: [ start ] - kind: event - outcome: success - SetWinEventHookEtw: - category: [ host, configuration ] - type: [ change ] - kind: event - outcome: success - SevenZipFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - SignInfoError: - category: [ file ] - type: [ info ] - kind: state - outcome: failure - SignInfoWithCertAndContext: - category: [ file ] - type: [ info ] - kind: state - outcome: unknown - SignInfoWithContext: - category: [ file ] - type: [ info ] - kind: state - outcome: unknown - SmbClientNamedPipeConnectEtw: - category: [ network ] - type: [ connection ] - kind: event - outcome: success - SmbClientShareClosedEtw: - category: [ network ] - type: [ connection, end ] - kind: event - outcome: success - SmbClientShareOpenedEtw: - category: [ network ] - type: [ connection, start ] - kind: event - outcome: success - SmbServerShareOpenedEtw: - category: [ network ] - type: [ connection, start ] - kind: event - outcome: success - SmbServerV1AuditEtw: - category: [ network ] - type: [ connection ] - kind: state - outcome: unknown - SnapshotVolumeMounted: - category: [ host, configuration ] - type: [ change ] - kind: event - outcome: success - SuspiciousCreateSymbolicLink: - category: [ malware, file ] - type: [ creation, info ] - kind: alert - outcome: success - SuspiciousDnsRequest: - category: [ network ] - type: [ start, protocol ] - kind: alert - outcome: success - SuspiciousEseFileWritten: - category: [ malware, file ] - type: [ creation, info ] - kind: alert - outcome: success - SuspiciousRegAsepUpdate: - category: [ malware, registry, configuration ] - type: [ change, info ] - kind: alert - outcome: success - SuspiciousUserRemoteAPCAttempt: - category: [ malware, process ] - type: [ info ] - kind: alert - outcome: success - SyntheticProcessRollup2: - category: [ process ] - type: [ start ] - kind: event - outcome: success - SystemCapacity: - category: [ host ] - type: [ info ] - kind: state - outcome: success - TarFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - TelemetryCounters2: - category: [ host ] - type: [ info ] - kind: state - outcome: success - TelemetryNetworkConnections: - category: [ network ] - type: [ connection ] - kind: state - outcome: success - TelemetryStats: - category: [ host ] - type: [ info ] - kind: state - outcome: success - TerminateProcess: - category: [ process ] - type: [ end ] - kind: event - outcome: success - TokenImpersonated: - category: [ process, authentication ] - type: [ info, change ] - kind: event - outcome: success - UACCOMElevation: - category: [ process, authentication ] - type: [ info, change ] - kind: event - outcome: success - UACExeElevation: - category: [ process, authentication ] - type: [ info, change ] - kind: event - outcome: success - UACMSIElevation: - category: [ process, authentication ] - type: [ info, change ] - kind: event - outcome: success - UmppaErrorEvent: - category: [ package ] - type: [ info ] - kind: event - outcome: failure - UnsignedModuleLoad: - category: [ process ] - type: [ change ] - kind: alert - outcome: success - UpdateManifestDownloadComplete: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - UserAccountAddedToGroup: - category: [ configuration, iam ] - type: [ change, group ] - kind: event - outcome: success - UserAccountCreated: - category: [ configuration, iam ] - type: [ creation ] - kind: event - outcome: success - UserAccountDeleted: - category: [ configuration, iam ] - type: [ deletion ] - kind: event - outcome: success - UserExceptionDEP: - category: [ process, malware ] - type: [ info ] - kind: alert - outcome: success - UserFontLoad: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - UserIdentity: - category: [ authentication, iam ] - type: [ info, user ] - kind: event - outcome: success - UserLogoff: - category: [ authentication ] - type: [ end ] - kind: event - outcome: success - UserLogon: - category: [ authentication ] - type: [ start ] - kind: event - outcome: success - UserLogonFailed: - category: [ authentication ] - type: [ start ] - kind: event - outcome: failure - UserLogonFailed2: - category: [ authentication ] - type: [ start ] - kind: event - outcome: failure - VolumeSnapshotCreated: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - VolumeSnapshotDeleted: - category: [ file ] - type: [ deletion ] - kind: event - outcome: success - WfpFilterTamperingFilterAdded: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - WfpFilterTamperingFilterDeleted: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - WmiCreateProcess: - category: [ process ] - type: [ start ] - kind: event - outcome: success - WmiFilterConsumerBindingEtw: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - WmiProviderRegistrationEtw: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - WroteExeAndGeneratedServiceEvent: - category: [ process ] - type: [ access ] - kind: alert - outcome: success - XarFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - ZipFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - source: |- - def m = params.get(ctx.crowdstrike?.event_simpleName); - if (m != null) { - m.forEach((k, v) -> { - if (v instanceof List) { - ctx.event[k] = new ArrayList(v); - } else { - ctx.event[k] = v; - } - }); - } - - ## Event fields. - - rename: - field: crowdstrike.id - target_field: event.id - ignore_missing: true - - rename: - field: crowdstrike.event_simpleName - target_field: event.action - ignore_missing: true - -## Prepare data. - - script: - tag: convert-count-fields-to-long - description: Convert all count fields to number. - lang: painless - source: |- - for (entry in ctx.crowdstrike.entrySet()) { - def key = entry.getKey().toString(); - if (key.contains("Count") || key.contains("Port")) { - try { - ctx.crowdstrike[key] = Long.parseLong(entry.getValue().toString()); - } catch (Exception e) { - } - } - } - - script: - tag: remove-empty-hashes - description: Remove all 0's hashes. - lang: painless - params: - MD5HashData: md5 - SHA1HashData: sha1 - SHA256HashData: sha256 - source: |- - def hashIsEmpty(String hash) { - if (hash == null || hash == "") { - return true; - } - - Pattern emptyHashRegex = /^0*$/; - def matcher = emptyHashRegex.matcher(hash); - - return matcher.matches(); - } - - def hashes = new HashMap(); - def related = [ - "hash": new ArrayList() - ]; - for (entry in params.entrySet()) { - def key = entry.getKey().toString(); - def value = ctx.crowdstrike[key]; - ctx.crowdstrike.remove(key); - if (hashIsEmpty(value)) { - continue; - } - - hashes[entry.getValue().toString()] = value; - related.hash.add(value); - } - - ctx._temp = new HashMap(); - ctx._temp.hashes = hashes; - if (related.hash.length > 0) { - ctx.related = related; - } - - ## Observer fields. - - rename: - field: crowdstrike.aid - target_field: observer.serial_number - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.aip - type: ip - ignore_missing: true - - rename: - field: crowdstrike.aip - target_field: observer.ip - ignore_missing: true - ignore_failure: true - - set: - field: observer.address - copy_from: observer.ip - ignore_empty_value: true - - rename: - field: crowdstrike.AgentVersion - target_field: observer.version - ignore_missing: true - ignore_failure: true - - rename: - field: crowdstrike.ConfigBuild - target_field: observer.version - ignore_missing: true - ignore_failure: true - - set: - field: observer.vendor - value: crowdstrike - - set: - field: observer.type - value: agent - - append: - field: related.ip - value: "{{{observer.ip}}}" - allow_duplicates: false - if: ctx.observer?.ip != null && ctx.observer.ip != "" - - append: - field: related.hosts - value: "{{{observer.ip}}}" - allow_duplicates: false - if: ctx.observer?.ip != null && ctx.observer.ip != "" - - ## Host fields. - - rename: - field: crowdstrike.ComputerName - target_field: host.hostname - ignore_missing: true - ignore_failure: true - - set: - field: host.name - copy_from: host.hostname - ignore_empty_value: true - ignore_failure: true - - append: - field: related.hosts - value: "{{{host.name}}}" - allow_duplicates: false - if: ctx.host?.name != null - - rename: - field: crowdstrike.City - target_field: host.geo.city_name - ignore_missing: true - ignore_failure: true - - rename: - field: crowdstrike.Continent - target_field: host.geo.continent_name - ignore_missing: true - ignore_failure: true - - rename: - field: crowdstrike.Country - target_field: host.geo.country_name - ignore_missing: true - ignore_failure: true - - rename: - field: crowdstrike.Timezone - target_field: host.geo.timezone - ignore_missing: true - ignore_failure: true - - rename: - field: crowdstrike.MachineDomain - target_field: host.domain - ignore_missing: true - ignore_failure: true - - ## IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - ## IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - ## OS fields. - - set: - field: os.type - value: linux - if: ctx.crowdstrike?.event_platform != null && ctx.crowdstrike?.event_platform == "Lin" - - set: - field: os.type - value: macos - if: ctx.crowdstrike?.event_platform != null && ctx.crowdstrike?.event_platform == "Mac" - - set: - field: os.type - value: windows - if: ctx.crowdstrike?.event_platform != null && ctx.crowdstrike?.event_platform == "Win" - - rename: - field: crowdstrike.OSVersionString - target_field: os.version - ignore_missing: true - ignore_failure: true - - rename: - field: crowdstrike.Version - target_field: os.version - ignore_missing: true - ignore_failure: true - - ## Process fields. - - rename: - field: crowdstrike.CommandLine - target_field: process.command_line - ignore_missing: true - - script: - tag: split-command-line - description: Implements Windows-like SplitCommandLine - lang: painless - if: ctx.process?.command_line != null && ctx.process.command_line != "" && ctx.os?.type != null - source: |- - // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. - def appendBSBytes(StringBuilder b, int n) { - for (; n > 0; n--) { - b.append('\\'); - } - return b; - } - - // readNextArg splits command line string cmd into next - // argument and command line remainder. - def readNextArg(String cmd) { - def b = new StringBuilder(); - boolean inquote; - int nslash; - for (; cmd.length() > 0; cmd = cmd.substring(1)) { - def c = cmd.charAt(0); - if (c == (char)' ' || c == (char)0x09) { - if (!inquote) { - return [ - "arg": appendBSBytes(b, nslash).toString(), - "rest": cmd.substring(1) - ]; - } - } else if (c == (char)'"') { - b = appendBSBytes(b, nslash/2); - if (nslash%2 == 0) { - // use "Prior to 2008" rule from - // http://daviddeley.com/autohotkey/parameters/parameters.htm - // section 5.2 to deal with double double quotes - if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { - b.append(c); - cmd = cmd.substring(1); - } - inquote = !inquote; - } else { - b.append(c); - } - nslash = 0; - continue; - } else if (c == (char)'\\') { - nslash++; - continue; - } - b = appendBSBytes(b, nslash); - nslash = 0; - b.append(c); - } - return [ - "arg": appendBSBytes(b, nslash).toString(), - "rest": '' - ]; - } - - // commandLineToArgv splits a command line into individual argument - // strings, following the Windows conventions documented - // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV - // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 - def commandLineToArgv(String cmd) { - def args = new ArrayList(); - while (cmd.length() > 0) { - if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { - cmd = cmd.substring(1); - continue; - } - def next = readNextArg(cmd); - cmd = next.rest; - args.add(next.arg); - } - return args; - } - - ctx.process.args = commandLineToArgv(ctx.process.command_line); - ctx.process.args_count = ctx.process.args.length; - - - rename: - field: crowdstrike.ImageFileName - target_field: process.executable - ignore_missing: true - - convert: - field: crowdstrike.ExitCode - type: long - ignore_missing: true - - rename: - field: crowdstrike.ExitCode - target_field: process.exit_code - ignore_missing: true - - script: - tag: process-uptime - lang: painless - description: Calculate process.uptime - source: |- - def d1 = Float.parseFloat(ctx.crowdstrike?.ProcessStartTime); - def d2 = Float.parseFloat(ctx.crowdstrike?.ProcessEndTime); - if (ctx.process == null) { - ctx.process = []; - } - ctx.process.uptime = (long) ((d2-d1)/1000); - if: ctx.crowdstrike?.ProcessStartTime != null && ctx.crowdstrike?.ProcessStartTime != "" && ctx.crowdstrike?.ProcessEndTime != null && ctx.crowdstrike?.ProcessEndTime != "" - - date: - field: crowdstrike.ProcessStartTime - target_field: crowdstrike.ProcessStartTime - formats: - - UNIX - if: ctx.crowdstrike?.ProcessStartTime != null && ctx.crowdstrike?.ProcessStartTime != "" - - rename: - field: crowdstrike.ProcessStartTime - target_field: process.start - ignore_missing: true - if: ctx.crowdstrike?.ProcessStartTime != "" - - date: - field: crowdstrike.ProcessEndTime - target_field: crowdstrike.ProcessEndTime - formats: - - UNIX - if: ctx.crowdstrike?.ProcessEndTime != null && ctx.crowdstrike?.ProcessEndTime != "" - - rename: - field: crowdstrike.ProcessEndTime - target_field: process.end - ignore_missing: true - if: ctx.crowdstrike?.ProcessEndTime != "" - - convert: - field: crowdstrike.RawProcessId - type: long - ignore_missing: true - - rename: - field: crowdstrike.RawProcessId - target_field: process.pid - ignore_missing: true - - rename: - field: crowdstrike.TargetProcessId - target_field: process.entity_id - ignore_missing: true - - rename: - field: crowdstrike.ParentProcessId - target_field: process.parent.entity_id - ignore_missing: true - - rename: - field: crowdstrike.ParentBaseFileName - target_field: process.parent.name - ignore_missing: true - - convert: - field: crowdstrike.ProcessGroupId - type: long - ignore_missing: true - - rename: - field: crowdstrike.ProcessGroupId - target_field: process.pgid - ignore_missing: true - - rename: - field: crowdstrike.ContextProcessId - target_field: process.entity_id - ignore_missing: true - ignore_failure: true - if: ctx.process?.entity_id == null - - convert: - field: crowdstrike.ContextThreadId - type: long - ignore_missing: true - if: ctx.process?.thread?.id == null - - rename: - field: crowdstrike.ContextThreadId - target_field: process.thread.id - ignore_missing: true - ignore_failure: true - if: ctx.process?.thread?.id == null - - convert: - field: crowdstrike.EtwRawProcessId - type: long - ignore_missing: true - - rename: - field: crowdstrike.EtwRawProcessId - target_field: process.pid - ignore_missing: true - if: ctx.process?.pid == null - - convert: - field: crowdstrike.EtwRawThreadId - type: long - ignore_missing: true - - rename: - field: crowdstrike.EtwRawThreadId - target_field: process.thread.id - ignore_missing: true - if: ctx.process?.thread?.id == null - - rename: - field: crowdstrike.ServiceDisplayName - target_field: process.title - ignore_missing: true - - rename: - field: _temp.hashes - target_field: process.hash - if: ctx.event?.action != null && (ctx.event.action.contains("Process") || ctx.event.action.contains("Service")) && ctx._temp?.hashes != null && ctx._temp?.hashes.size() > 0 - - ## User fields. - - rename: - field: crowdstrike.UID - target_field: user.id - ignore_missing: true - - rename: - field: crowdstrike.GID - target_field: user.group.id - ignore_missing: true - - rename: - field: crowdstrike.UserSid - target_field: user.id - ignore_missing: true - if: ctx.user?.id == null || ctx.user.id == "" - - append: - field: user.roles - value: admin - if: ctx.crowdstrike?.UserIsAdmin == "1" - - rename: - field: crowdstrike.UserName - target_field: user.name - ignore_missing: true - - split: - field: crowdstrike.UserPrincipal - target_field: "_temp.user_parts" - separator: '@' - if: ctx.crowdstrike?.UserPrincipal != null - - rename: - field: crowdstrike.UserPrincipal - target_field: user.email - ignore_missing: true - - set: - field: user.domain - value: "{{{_temp.user_parts.1}}}" - ignore_failure: true - ignore_empty_value: true - if: ctx._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 - - set: - field: user.full_name - value: "{{{_temp.user_parts.0}}}" - ignore_failure: true - ignore_empty_value: true - if: ctx._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 - - append: - field: related.user - value: "{{{user.name}}}" - ignore_failure: true - allow_duplicates: false - if: ctx.user?.name != null - - append: - field: related.user - value: "{{{user.full_name}}}" - ignore_failure: true - allow_duplicates: false - if: ctx.user?.full_name != null - - ## Networking fields. - - convert: - field: crowdstrike.LocalAddressIP4 - type: ip - ignore_missing: true - - rename: - field: crowdstrike.LocalAddressIP4 - target_field: source.ip - ignore_missing: true - - set: - field: source.address - copy_from: source.ip - ignore_empty_value: true - - convert: - field: crowdstrike.LocalAddressIP6 - type: ip - ignore_missing: true - - rename: - field: crowdstrike.LocalAddressIP6 - target_field: source.ip - ignore_missing: true - - set: - field: source.address - copy_from: source.ip - ignore_empty_value: true - - rename: - field: crowdstrike.LocalPort - target_field: source.port - ignore_missing: true - - convert: - field: crowdstrike.RemoteAddressIP4 - type: ip - ignore_missing: true - - rename: - field: crowdstrike.RemoteAddressIP4 - target_field: destination.ip - ignore_missing: true - - set: - field: destination.address - copy_from: destination.ip - ignore_empty_value: true - - convert: - field: crowdstrike.RemoteAddressIP6 - type: ip - ignore_missing: true - - rename: - field: crowdstrike.RemoteAddressIP6 - target_field: destination.ip - ignore_missing: true - - set: - field: destination.address - copy_from: destination.ip - ignore_empty_value: true - - rename: - field: crowdstrike.RemotePort - target_field: destination.port - ignore_missing: true - - rename: - field: crowdstrike.Protocol - target_field: network.iana_number - ignore_missing: true - - script: - tag: network-transport-lookup - lang: painless - ignore_failure: true - if: ctx.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - set: - field: network.direction - value: outbound - if: ctx.crowdstrike?.ConnectionDirection == "0" - - set: - field: network.direction - value: inbound - if: ctx.crowdstrike?.ConnectionDirection == "1" - - set: - field: network.direction - value: unknown - if: ctx.network?.direction == null && ctx.crowdstrike?.ConnectionDirection != null && ctx.crowdstrike.ConnectionDirection != "" - - community_id: - ignore_missing: true - ignore_failure: true - - append: - field: related.ip - value: "{{{source.ip}}}" - allow_duplicates: false - if: ctx.source?.ip != null && ctx.source.ip != "" - - append: - field: related.ip - value: "{{{destination.ip}}}" - allow_duplicates: false - if: ctx.destination?.ip != null && ctx.destination.ip != "" - - append: - field: related.hosts - value: "{{{source.ip}}}" - allow_duplicates: false - if: ctx.source?.ip != null && ctx.source.ip != "" - - append: - field: related.hosts - value: "{{{destination.ip}}}" - allow_duplicates: false - if: ctx.destination?.ip != null && ctx.destination.ip != "" - - rename: - field: crowdstrike.PhysicalAddress - target_field: source.mac - ignore_missing: true - - uppercase: - field: source.mac - ignore_missing: true - - rename: - field: crowdstrike.DownloadServer - target_field: server.address - ignore_missing: true - - rename: - field: crowdstrike.DownloadPath - target_field: url.path - ignore_missing: true - - ## URL fields. - - set: - field: url.path - value: "/{{url.path}}" - if: ctx.url?.path != null && !ctx.url.path.startsWith("/") - - registered_domain: - field: server.address - target_field: server - ignore_missing: true - - set: - field: url.scheme - value: https - if: ctx.crowdstrike?.DownloadPort == 443 - - set: - field: url.scheme - value: http - if: ctx.crowdstrike?.DownloadPort != 443 - - set: - field: url.full - value: "{{{url.scheme}}}://{{{server.address}}}{{{url.path}}}" - if: ctx.url?.scheme != null && ctx.server?.address != null && ctx.url?.path != null - - uri_parts: - field: url.full - ignore_failure: true - if: ctx.url?.full != null - - registered_domain: - field: url.domain - target_field: url - ignore_missing: true - ignore_failure: true - - ## IP Geolocation Lookup - - geoip: - field: observer.ip - target_field: observer.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - ## IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - ## DNS fields. - - set: - field: dns.type - value: query - if: ctx.event?.action == "DnsRequest" - - registered_domain: - field: crowdstrike.DomainName - target_field: dns.question - ignore_missing: true - if: ctx.event?.action == "DnsRequest" - - rename: - field: dns.question.domain - target_field: dns.question.name - ignore_missing: true - if: ctx.event?.action == "DnsRequest" - - script: - tag: dns-request-type-to-name - description: Map decimal DNS request type to its name. - lang: painless - params: - "1": A - "2": NS - "5": CNAME - "6": SOA - "12": PTR - "13": HINFO - "15": MX - "16": TXT - "17": RP - "18": AFSDB - "24": SIG - "25": KEY - "28": AAAA - "29": LOC - "33": SRV - "35": NAPTR - "36": KX - "37": CERT - "39": DNAME - "42": APL - "43": DS - "44": SSHFP - "45": IPSECKEY - "46": RRSIG - "47": NSEC - "48": DNSKEY - "49": DHCID - "50": NSEC3 - "51": NSEC3PARAM - "52": TLSA - "53": SMIMEA - "55": HIP - "59": CDS - "60": CDNSKEY - "61": OPENPGPKEY - "62": CSYNC - "63": ZONEMD - "64": SVCB - "65": HTTPS - "108": EUI48 - "109": EUI64 - "249": TKEY - "250": TSIG - "256": URI - "257": CAA - "32768": TA - "32769": DLV - if: ctx.event?.action == "DnsRequest" && ctx.crowdstrike?.RequestType != null && !ctx.crowdstrike.RequestType.isEmpty() - source: |- - def t = params[ctx.crowdstrike.RequestType]; - if (t != null) { - if (ctx.dns?.question == null) { - ctx.dns.question = new HashMap(); - } - ctx.dns.question.type = t; - ctx.crowdstrike.remove("RequestType"); - } - - ## File fields. - - convert: - field: crowdstrike.Size - type: long - ignore_missing: true - ignore_failure: true - - rename: - field: crowdstrike.Size - target_field: file.size - ignore_missing: true - - rename: - field: crowdstrike.FileIdentifier - target_field: file.inode - ignore_missing: true - - rename: - field: crowdstrike.SourceFileName - target_field: file.path - ignore_missing: true - - rename: - field: crowdstrike.TargetFileName - target_field: file.path - ignore_missing: true - ignore_failure: true - - rename: - field: crowdstrike.DiskParentDeviceInstanceId - target_field: file.device - ignore_missing: true - - set: - field: file.type - value: file - if: ctx.file?.path != null && !ctx.event.action.contains("Directory") - - set: - field: file.type - value: dir - if: ctx.file?.path != null && (ctx.event.action.contains("Directory") || ctx.file.path.endsWith("\\") || ctx.file.path.endsWith("/")) - - script: - tag: parse-file-path - description: Adds file information. - lang: painless - if: ctx.file?.path != null && ctx.file.path.length() > 1 - source: |- - def removeSuffix(String s, String suffix) { - if (s != null && suffix != null && s.endsWith(suffix)) { - return s.substring(0, s.length() - suffix.length()); - } - return s; - } - - def path = removeSuffix(ctx.file.path, "/"); - path = removeSuffix(path, "\\"); - def idx = path.lastIndexOf("\\"); - if (idx == -1) { - idx = path.lastIndexOf("/"); - } - if (idx > -1) { - if (ctx.file == null) { - ctx.file = new HashMap(); - } - ctx.file.name = path.substring(idx+1); - ctx.file.directory = path.substring(0, idx); - - def extIdx = ctx.file.name.lastIndexOf("."); - if (extIdx > -1 && ctx.file.type == "file") { - ctx.file.extension = ctx.file.name.substring(extIdx+1); - } - } - if (path.charAt(1) == ":") { - ctx.file.drive_letter = path.charAt(0).toUpperCase(); - } - - rename: - field: _temp.hashes - target_field: file.hash - if: ctx.event?.action != null && (ctx.event.action.contains("File") || ctx.event.action.contains("Directory") || ctx.event.action.contains("Executable")) && ctx._temp?.hashes != null && ctx._temp?.hashes.size() > 0 - - ## Crowdstrike fields. - - split: - field: crowdstrike.FalconGroupingTags - separator: ",\\s?" - ignore_missing: true - ignore_failure: true - - split: - field: crowdstrike.SensorGroupingTags - separator: ",\\s?" - ignore_missing: true - ignore_failure: true - - split: - field: crowdstrike.Tags - separator: ",\\s?" - ignore_missing: true - ignore_failure: true - - split: - field: crowdstrike.CallStackModuleNames - separator: "\\|" - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.UserTime - type: long - ignore_missing: true - - convert: - field: crowdstrike.KernelTime - type: long - ignore_missing: true - - convert: - field: crowdstrike.CycleTime - type: long - ignore_missing: true - - append: - field: related.hash - value: "{{{crowdstrike.ConfigStateHash}}}" - ignore_failure: true - allow_duplicates: false - if: ctx.crowdstrike?.ConfigStateHash != null && ctx.crowdstrike.ConfigStateHash != "" - - trim: - field: crowdstrike.BootArgs - ignore_missing: true - - split: - field: crowdstrike.BootArgs - separator: '\s+' - ignore_missing: true - - date: - field: crowdstrike.LogonTime - target_field: crowdstrike.LogonTime - formats: - - UNIX - if: ctx.crowdstrike?.LogonTime != null && ctx.crowdstrike?.LogonTime != "" - - date: - field: crowdstrike.LogoffTime - target_field: crowdstrike.LogoffTime - formats: - - UNIX - if: ctx.crowdstrike?.LogoffTime != null && ctx.crowdstrike?.LogoffTime != "" - - date: - field: crowdstrike.ConnectTime - target_field: crowdstrike.ConnectTime - formats: - - UNIX - if: ctx.crowdstrike?.ConnectTime != null && ctx.crowdstrike?.ConnectTime != "" - - date: - field: crowdstrike.PreviousConnectTime - target_field: crowdstrike.PreviousConnectTime - formats: - - UNIX - if: ctx.crowdstrike?.PreviousConnectTime != null && ctx.crowdstrike?.PreviousConnectTime != "" - - date: - field: crowdstrike.AgentLocalTime - target_field: crowdstrike.AgentLocalTime - formats: - - UNIX - if: ctx.crowdstrike?.AgentLocalTime != null && ctx.crowdstrike?.AgentLocalTime != "" - - date: - field: crowdstrike.FirstSeen - target_field: crowdstrike.FirstSeen - formats: - - UNIX - if: ctx.crowdstrike?.FirstSeen != null && ctx.crowdstrike?.FirstSeen != "" - - date: - field: crowdstrike.Time - target_field: crowdstrike.Time - formats: - - UNIX - if: ctx.crowdstrike?.Time != null && ctx.crowdstrike?.Time != "" - - date: - field: crowdstrike.BiosReleaseDate - target_field: crowdstrike.BiosReleaseDate - formats: - - MM/dd/yyyy - - strict_date_optional_time - if: ctx.crowdstrike?.BiosReleaseDate != null && ctx.crowdstrike?.BiosReleaseDate != "" - - convert: - field: crowdstrike.AgentTimeOffset - target_field: crowdstrike.AgentTimeOffset - type: float - ignore_missing: true - - convert: - field: crowdstrike.Timeout - type: long - ignore_missing: true - - convert: - field: crowdstrike.PhysicalAddressLength - type: long - ignore_missing: true - - convert: - field: crowdstrike.InterfaceIndex - type: long - ignore_missing: true - - convert: - field: crowdstrike.NetLuidIndex - type: long - ignore_missing: true - - convert: - field: crowdstrike.AttemptNumber - type: long - ignore_missing: true - - convert: - field: crowdstrike.SystemTableIndex - type: long - ignore_missing: true - - split: - field: crowdstrike.NeighborList - separator: '\|' - ignore_missing: true - - split: - field: crowdstrike.ConfigStateData - separator: '\|' - ignore_missing: true - - append: - field: related.hosts - value: "{{{crowdstrike.LogonServer}}}" - allow_duplicates: false - if: ctx.crowdstrike?.LogonServer != null - - append: - field: related.hosts - value: "{{{crowdstrike.ClientComputerName}}}" - allow_duplicates: false - if: ctx.crowdstrike?.ClientComputerName != null - - ## Cleanup. - - remove: - field: crowdstrike.event_platform - ignore_missing: true - ignore_failure: true - if: ctx.os?.type != null - - remove: - field: - - _temp - - crowdstrike.timestamp - - crowdstrike._time - - crowdstrike.ContextTimeStamp - - crowdstrike.CreationTimeStamp - - crowdstrike.DomainName - - crowdstrike.ConnectionDirection - - crowdstrike.UserIsAdmin - - crowdstrike.TargetDirectoryName - ignore_missing: true - ignore_failure: true - - remove: - field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - script: - tag: remove-nulls - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || v == '-' || v == 'none' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || v == '-' || v == 'none' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -on_failure: - - set: - field: error.message - value: "Processor '{{ _ingest.on_failure_processor_type }}' with tag '{{ _ingest.on_failure_processor_tag }}' failed with message {{ _ingest.on_failure_message }}" diff --git a/packages/crowdstrike/1.3.3/data_stream/fdr/fields/base-fields.yml b/packages/crowdstrike/1.3.3/data_stream/fdr/fields/base-fields.yml deleted file mode 100755 index b701d8325a..0000000000 --- a/packages/crowdstrike/1.3.3/data_stream/fdr/fields/base-fields.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: input.type - type: keyword -- name: log.offset - type: long -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: crowdstrike -- name: event.dataset - type: constant_keyword - description: Event dataset - value: crowdstrike.fdr -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/crowdstrike/1.3.3/data_stream/fdr/fields/ecs.yml b/packages/crowdstrike/1.3.3/data_stream/fdr/fields/ecs.yml deleted file mode 100755 index 09e7f347a7..0000000000 --- a/packages/crowdstrike/1.3.3/data_stream/fdr/fields/ecs.yml +++ /dev/null @@ -1,509 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Device that is the source of the file. - name: file.device - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: Inode representing the file in the filesystem. - name: file.inode - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: host.geo.city_name - type: keyword -- description: Name of the continent. - name: host.geo.continent_name - type: keyword -- description: Country name. - name: host.geo.country_name - type: keyword -- description: The time zone of the location, such as IANA time zone name. - name: host.geo.timezone - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: City name. - name: observer.geo.city_name - type: keyword -- description: Name of the continent. - name: observer.geo.continent_name - type: keyword -- description: Country ISO code. - name: observer.geo.country_iso_code - type: keyword -- description: Country name. - name: observer.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: observer.geo.location - type: geo_point -- description: Region ISO code. - name: observer.geo.region_iso_code - type: keyword -- description: Region name. - name: observer.geo.region_name - type: keyword -- description: IP addresses of the observer. - name: observer.ip - type: ip -- description: Observer serial number. - name: observer.serial_number - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: os.type - type: keyword -- description: Operating system version as a raw string. - name: os.version - type: keyword -- description: |- - Array of process arguments, starting with the absolute path to the executable. - May be filtered to protect sensitive information. - name: process.args - type: keyword -- description: |- - Length of the process.args array. - This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - name: process.args_count - type: long -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: The time the process ended. - name: process.end - type: date -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: |- - The exit code of the process, if this is a termination event. - The field should be absent if there is no exit code for the event (e.g. process start). - name: process.exit_code - type: long -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.hash.sha256 - type: keyword -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.parent.entity_id - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. - Identifier of the group of processes the process belongs to. - name: process.pgid - type: long -- description: Process id. - name: process.pid - type: long -- description: The time the process started. - name: process.start - type: date -- description: Thread ID. - name: process.thread.id - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: Seconds the process has been up. - name: process.uptime - type: long -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: url.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.group.id - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/crowdstrike/1.3.3/data_stream/fdr/fields/fields.yml b/packages/crowdstrike/1.3.3/data_stream/fdr/fields/fields.yml deleted file mode 100755 index 430dfe74b2..0000000000 --- a/packages/crowdstrike/1.3.3/data_stream/fdr/fields/fields.yml +++ /dev/null @@ -1,595 +0,0 @@ -- name: observer.address - type: keyword -- name: crowdstrike - type: group - fields: - - name: AgentTimeOffset - type: float - - name: AllocateVirtualMemoryCount - type: long - - name: ApiReturnValue - type: keyword - - name: ArchiveFileWrittenCount - type: long - - name: AsepWrittenCount - type: long - - name: AuthenticationId - type: keyword - - name: AuthenticationPackage - type: keyword - - name: BinaryExecutableWrittenCount - type: long - - name: BootArgs - type: keyword - - name: BundleID - type: keyword - - name: CLICreationCount - type: long - - name: CallStackModuleNames - type: keyword - - name: CallStackModuleNamesVersion - type: version - - name: ClientComputerName - type: keyword - - name: CompletionEventId - type: keyword - - name: ConfigBuild - type: keyword - - name: ConHostId - type: keyword - - name: ConHostProcessId - type: keyword - - name: ConfigStateHash - type: keyword - - name: ConnectionFlags - type: keyword - - name: ContextProcessId - type: keyword - - name: CreateProcessCount - type: long - - name: CreateProcessType - type: keyword - - name: CycleTime - type: long - - name: DesiredAccess - type: keyword - - name: DirectoryCreatedCount - type: long - - name: DirectoryEnumeratedCount - type: long - - name: DnsRequestCount - type: long - - name: DocumentFileWrittenCount - type: long - - name: DownloadPath - type: keyword - - name: DownloadPort - type: long - - name: DownloadServer - type: keyword - - name: DualRequest - type: keyword - - name: EffectiveTransmissionClass - type: keyword - - name: EnabledPrivilegesBitmask - type: keyword - - name: Entitlements - type: keyword - - name: ExeAndServiceCount - type: long - - name: ExecutableDeletedCount - type: long - - name: FalconGroupingTags - type: keyword - - name: FileAttributes - type: keyword - - name: FileDeletedCount - type: long - - name: FileEcpBitmask - type: keyword - - name: FileObject - type: keyword - - name: FirstSeen - type: date - - name: Flags - type: keyword - - name: GenericFileWrittenCount - type: long - - name: GrandParentBaseFileName - type: keyword - - name: HostHiddenStatus - type: keyword - - name: ImageSubsystem - type: keyword - - name: InContext - type: keyword - - name: Information - type: keyword - - name: InjectedDllCount - type: long - - name: InjectedThreadCount - type: long - - name: IntegrityLevel - type: keyword - - name: InterfaceGuid - type: keyword - - name: InterfaceIndex - type: long - - name: InterfaceVersion - type: keyword - - name: IrpFlags - type: keyword - - name: IsOnNetwork - type: keyword - - name: IsOnRemovableDisk - type: keyword - - name: IsTransactedFile - type: keyword - - name: KernelTime - type: long - - name: LogoffTime - type: date - - name: LogonDomain - type: keyword - - name: LogonId - type: keyword - - name: LogonServer - type: keyword - - name: LogonTime - type: date - - name: LogonType - type: keyword - - name: MachOSubType - type: keyword - - name: MajorFunction - type: keyword - - name: MaxThreadCount - type: long - - name: MinorFunction - type: keyword - - name: ModuleLoadCount - type: long - - name: NDRoot - type: keyword - - name: NetworkBindCount - type: long - - name: NetworkCapableAsepWriteCount - type: long - - name: NetworkCloseCount - type: long - - name: NetworkConnectCount - type: long - - name: NetworkConnectCountUdp - type: long - - name: NetworkListenCount - type: long - - name: NetworkModuleLoadCount - type: long - - name: NetworkRecvAcceptCount - type: long - - name: NewExecutableWrittenCount - type: long - - name: NewFileIdentifier - type: keyword - - name: OperationFlags - type: keyword - - name: Options - type: keyword - - name: OU - type: keyword - - name: ParentAuthenticationId - type: keyword - - name: PasswordLastSet - type: keyword - - name: PhysicalAddressLength - type: long - - name: PointerSize - type: keyword - - name: PrivilegedProcessHandleCount - type: long - - name: PrivilegesBitmask - type: keyword - - name: ProcessCreateFlags - type: keyword - - name: ProcessParameterFlags - type: keyword - - name: ProcessSxsFlags - type: keyword - - name: ProductType - type: keyword - - name: ProtectVirtualMemoryCount - type: long - - name: QueueApcCount - type: long - - name: RGID - type: keyword - - name: RUID - type: keyword - - name: RegKeySecurityDecreasedCount - type: long - - name: RemoteAccount - type: keyword - - name: RemovableDiskFileWrittenCount - type: long - - name: RequestType - type: keyword - - name: RpcClientProcessId - type: keyword - - name: RpcClientThreadId - type: keyword - - name: RpcNestingLevel - type: keyword - - name: RpcOpNum - type: keyword - - name: RunDllInvocationCount - type: long - - name: SVGID - type: keyword - - name: SVUID - type: keyword - - name: ScreenshotsTakenCount - type: long - - name: ScriptEngineInvocationCount - type: long - - name: SensorGroupingTags - type: keyword - - name: ServiceDisplayName - type: keyword - - name: ServiceEventCount - type: long - - name: ServicePackMajor - type: keyword - - name: SessionId - type: keyword - - name: SessionProcessId - type: keyword - - name: SetThreadContextCount - type: long - - name: ShareAccess - type: keyword - - name: Size - type: long - - name: SiteName - type: keyword - - name: SnapshotFileOpenCount - type: long - - name: SourceFileName - type: keyword - - name: SourceProcessId - type: keyword - - name: SourceThreadId - type: keyword - - name: Status - type: keyword - - name: SubStatus - type: keyword - - name: SuspectStackCount - type: long - - name: SuspiciousCredentialModuleLoadCount - type: long - - name: SuspiciousDnsRequestCount - type: long - - name: SuspiciousFontLoadCount - type: long - - name: SuspiciousRawDiskReadCount - type: long - - name: Tags - type: keyword - - name: TargetThreadId - type: keyword - - name: Time - type: date - - name: Timeout - type: long - - name: TokenType - type: keyword - - name: UnixMode - type: keyword - - name: UnsignedModuleLoadCount - type: long - - name: UserFlags - type: keyword - - name: UserGroupsBitmask - type: keyword - - name: UserLogoffType - type: keyword - - name: UserLogonFlags - type: keyword - - name: UserMemoryAllocateExecutableCount - type: long - - name: UserMemoryAllocateExecutableRemoteCount - type: long - - name: UserMemoryProtectExecutableCount - type: long - - name: UserMemoryProtectExecutableRemoteCount - type: long - - name: UserTime - type: long - - name: VnodeModificationType - type: keyword - - name: VnodeType - type: keyword - - name: VolumeDeviceCharacteristics - type: keyword - - name: VolumeDeviceObjectFlags - type: keyword - - name: VolumeDeviceType - type: keyword - - name: VolumeDriveLetter - type: keyword - - name: VolumeFileSystemDevice - type: keyword - - name: VolumeFileSystemDriver - type: keyword - - name: VolumeFileSystemType - type: keyword - - name: VolumeIsEncrypted - type: keyword - - name: VolumeIsNetwork - type: keyword - - name: VolumeMountPoint - type: keyword - - name: VolumeName - type: keyword - - name: VolumeRealDeviceName - type: keyword - - name: VolumeSectorSize - type: keyword - - name: cid - type: keyword - - name: name - type: keyword - - name: AgentLoadFlags - type: keyword - - name: AgentLocalTime - type: date - - name: AgentVersion - type: keyword - - name: AttemptNumber - type: long - - name: AuthenticationUuid - type: keyword - - name: AuthenticationUuidAsString - type: keyword - - name: BiosManufacturer - type: keyword - - name: BiosReleaseDate - type: date - - name: BiosVersion - type: keyword - - name: BootTimeFunctionalityLevel - type: keyword - - name: BoundedCount - type: long - - name: ChannelDiffStatus - type: keyword - - name: ChannelId - type: keyword - - name: ChannelVersion - type: keyword - - name: ChannelVersionRequired - type: keyword - - name: ChasisManufacturer - type: keyword - - name: ChassisType - type: keyword - - name: ConfigIDBase - type: keyword - - name: ConfigIDBuild - type: keyword - - name: ConfigIDPlatform - type: keyword - - name: ConfigStateData - type: keyword - - name: ConfigurationVersion - type: keyword - - name: ConnectTime - type: date - - name: ConnectType - type: keyword - - name: CpuClockSpeed - type: keyword - - name: CpuFeaturesMask - type: keyword - - name: CpuProcessorName - type: keyword - - name: CpuSignature - type: keyword - - name: CpuVendor - type: keyword - - name: CurrentFunctionalityLevel - type: keyword - - name: DeviceId - type: keyword - - name: ELFSubType - type: keyword - - name: ErrorCode - type: keyword - - name: ErrorStatus - type: keyword - - name: EtwRawThreadId - type: long - - name: FXFileSize - type: keyword - - name: Facility - type: keyword - - name: FailedConnectCount - type: long - - name: FeatureExtractionVersion - type: keyword - - name: FeatureVector - type: keyword - - name: File - type: keyword - - name: FirmwareAnalysisEclConsumerInterfaceVersion - type: keyword - - name: FirmwareAnalysisEclControlInterfaceVersion - type: keyword - - name: IOServiceClass - type: keyword - - name: IOServiceName - type: keyword - - name: IOServicePath - type: keyword - - name: InDiscards - type: keyword - - name: InErrors - type: keyword - - name: InMulticastPkts - type: keyword - - name: InOctets - type: keyword - - name: InUcastPkts - type: keyword - - name: InUnknownProtos - type: keyword - - name: InterfaceAlias - type: keyword - - name: InterfaceType - type: keyword - - name: LfoUploadFlags - type: keyword - - name: LightningLatencyState - type: keyword - - name: Line - type: keyword - - name: LogicalCoreCount - type: long - - name: LoginSessionId - type: keyword - - name: MLModelVersion - type: keyword - - name: MajorVersion - type: keyword - - name: Malicious - type: keyword - - name: MemoryTotal - type: keyword - - name: MicrocodeSignature - type: keyword - - name: MinorVersion - type: keyword - - name: MoboManufacturer - type: keyword - - name: MoboProductName - type: keyword - - name: ModelPrediction - type: keyword - - name: NeighborList - type: keyword - - name: NetLuidIndex - type: long - - name: NetworkContainmentState - type: keyword - - name: OSVersionFileData - type: keyword - - name: OSVersionFileName - type: keyword - - name: OutErrors - type: keyword - - name: OutMulticastPkts - type: keyword - - name: OutOctets - type: keyword - - name: OutUcastPkts - type: keyword - - name: Parameter1 - type: keyword - - name: Parameter2 - type: keyword - - name: Parameter3 - type: keyword - - name: PciAttachmentState - type: keyword - - name: PhysicalCoreCount - type: long - - name: PreviousConnectTime - type: date - - name: ProcessCount - type: long - - name: ProcessorPackageCount - type: long - - name: ProvisionState - type: keyword - - name: PupAdwareConfidence - type: keyword - - name: PupAdwareDecisionValue - type: keyword - - name: RFMState - type: keyword - - name: ReasonOfFunctionalityLevel - type: keyword - - name: SensorStateBitMap - type: keyword - - name: SuppressType - type: keyword - - name: SyntheticPR2Flags - type: keyword - - name: SystemManufacturer - type: keyword - - name: SystemProductName - type: keyword - - name: SystemSerialNumber - type: keyword - - name: SystemSku - type: keyword - - name: SystemTableIndex - type: long - - name: TargetFileName - type: keyword - - name: USN - type: keyword - - name: UploadId - type: keyword - - name: UserSid - type: keyword - - name: VerifiedCertificate - type: keyword - - name: VolumeAppearanceTime - type: keyword - - name: VolumeBusName - type: keyword - - name: VolumeBusPath - type: keyword - - name: VolumeDeviceInternal - type: keyword - - name: VolumeDeviceModel - type: keyword - - name: VolumeDevicePath - type: keyword - - name: VolumeDeviceProtocol - type: keyword - - name: VolumeDeviceRevision - type: keyword - - name: VolumeMediaBSDMajor - type: keyword - - name: VolumeMediaBSDMinor - type: keyword - - name: VolumeMediaBSDName - type: keyword - - name: VolumeMediaBSDUnit - type: keyword - - name: VolumeMediaContent - type: keyword - - name: VolumeMediaEjectable - type: keyword - - name: VolumeMediaName - type: keyword - - name: VolumeMediaPath - type: keyword - - name: VolumeMediaRemovable - type: keyword - - name: VolumeMediaSize - type: keyword - - name: VolumeMediaUUID - type: keyword - - name: VolumeMediaWhole - type: keyword - - name: VolumeMediaWritable - type: keyword - - name: VolumeType - type: keyword - - name: VolumeUUID - type: keyword - - name: WindowFlags - type: keyword diff --git a/packages/crowdstrike/1.3.3/data_stream/fdr/manifest.yml b/packages/crowdstrike/1.3.3/data_stream/fdr/manifest.yml deleted file mode 100755 index 755618e931..0000000000 --- a/packages/crowdstrike/1.3.3/data_stream/fdr/manifest.yml +++ /dev/null @@ -1,183 +0,0 @@ -title: "Falcon Data Replicator" -type: logs -streams: - - input: aws-s3 - template_path: aws-s3.yml.hbs - title: Falcon Data Replicator logs - description: Collect Falcon Data Replicator logs using s3 input - vars: - - name: access_key_id - type: text - title: Access Key ID - multi: false - required: false - show_user: true - - name: secret_access_key - type: text - title: Secret Access Key - multi: false - required: false - show_user: true - - name: session_token - type: text - title: Session Token - multi: false - required: false - show_user: true - - name: queue_url - type: text - title: Queue URL - multi: false - required: true - show_user: true - description: URL of the AWS SQS queue that messages will be received from. - - name: is_fdr_queue - type: bool - title: Is FDR queue - multi: false - required: true - show_user: true - description: | - By default the FDR queue is expected. This option must be set to `false` if you are using your own queue. - default: true - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: shared_credential_file - type: text - title: Shared Credential File - multi: false - required: false - show_user: false - description: Directory of the shared credentials file - - name: credential_profile_name - type: text - title: Credential Profile Name - multi: false - required: false - show_user: false - - name: role_arn - type: text - title: Role ARN - multi: false - required: false - show_user: false - - name: endpoint - type: text - title: Endpoint - multi: false - required: false - show_user: false - default: "amazonaws.com" - description: URL of the entry point for an AWS web service - - name: visibility_timeout - type: text - title: Visibility Timeout - multi: false - required: false - show_user: false - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. - - name: api_timeout - type: text - title: API Timeout - multi: false - required: false - show_user: false - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: fips_enabled - type: bool - title: Enable S3 FIPS - default: false - multi: false - required: false - show_user: false - description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@: - - name: fdr_parsing_script - type: yaml - title: FDR Notification Parsing Script - multi: false - required: true - show_user: false - description: The JS script used to parse the custom format of SQS FDR notifications. - default: | - function parse(n) { - var m = JSON.parse(n); - var evts = []; - var files = m.files; - var bucket = m.bucket; - if (!Array.isArray(files) || (files.length == 0) || bucket == null || bucket == "") { - return evts; - } - files.forEach(function(f){ - var evt = new S3EventV2(); - evt.SetS3BucketName(bucket); - evt.SetS3ObjectKey(f.path); - evts.push(evt); - }); - return evts; - } - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - crowdstrike-fdr - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: logfile - title: Falcon Data Replicator logs - description: Collect Falcon Data Replicator logs using a log file - vars: - - name: paths - type: text - title: Paths - multi: true - default: - - /var/log/falcon_data_replicator.log - show_user: true - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - crowdstrike-fdr - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/crowdstrike/1.3.3/data_stream/fdr/sample_event.json b/packages/crowdstrike/1.3.3/data_stream/fdr/sample_event.json deleted file mode 100755 index 07551bd55b..0000000000 --- a/packages/crowdstrike/1.3.3/data_stream/fdr/sample_event.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "@timestamp": "2020-11-08T09:58:32.519Z", - "agent": { - "ephemeral_id": "8cb3a21e-5542-440a-a909-8a2f161001ba", - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "crowdstrike": { - "ConfigStateHash": "1763245019", - "DesiredAccess": "1179785", - "EffectiveTransmissionClass": "3", - "Entitlements": "15", - "FileAttributes": "0", - "FileObject": "18446670458156489088", - "Information": "1", - "IrpFlags": "2180", - "MajorFunction": "0", - "MinorFunction": "0", - "OperationFlags": "0", - "Options": "16777312", - "ShareAccess": "5", - "Status": "0", - "cid": "ffffffff30a3407dae27d0503611022d", - "name": "RansomwareOpenFileV4" - }, - "data_stream": { - "dataset": "crowdstrike.fdr", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "RansomwareOpenFile", - "agent_id_status": "verified", - "category": [ - "file" - ], - "created": "2020-11-08T17:07:22.091Z", - "dataset": "crowdstrike.fdr", - "id": "ffffffff-1111-11eb-9756-06fe7f8f682f", - "ingested": "2022-05-09T16:39:37Z", - "kind": "alert", - "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1763245019\",\"ContextProcessId\":\"1016182570608\",\"ContextThreadId\":\"37343520154472\",\"ContextTimeStamp\":\"1604829512.519\",\"DesiredAccess\":\"1179785\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"0\",\"FileIdentifier\":\"7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00\",\"FileObject\":\"18446670458156489088\",\"Information\":\"1\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"16777312\",\"ShareAccess\":\"5\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user11\\\\Downloads\\\\file.pptx\",\"aid\":\"ffffffffac4148947ed68497e89f3308\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"RansomwareOpenFile\",\"id\":\"ffffffff-1111-11eb-9756-06fe7f8f682f\",\"name\":\"RansomwareOpenFileV4\",\"timestamp\":\"1604855242091\"}", - "outcome": "success", - "timezone": "+00:00", - "type": [ - "access" - ] - }, - "file": { - "directory": "\\Device\\HarddiskVolume3\\Users\\user11\\Downloads", - "extension": "pptx", - "inode": "7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00", - "name": "file.pptx", - "path": "\\Device\\HarddiskVolume3\\Users\\user11\\Downloads\\file.pptx", - "type": "file" - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/fdr-sample.log" - }, - "offset": 95203 - }, - "observer": { - "address": "67.43.156.14", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.14", - "serial_number": "ffffffffac4148947ed68497e89f3308", - "type": "agent", - "vendor": "crowdstrike", - "version": "1007.3.0011603.1" - }, - "os": { - "type": "windows" - }, - "process": { - "entity_id": "1016182570608", - "thread": { - "id": 37343520154472 - } - }, - "related": { - "hash": [ - "1763245019" - ], - "hosts": [ - "67.43.156.14" - ], - "ip": [ - "67.43.156.14" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "crowdstrike-fdr" - ], - "url": { - "scheme": "http" - } -} \ No newline at end of file diff --git a/packages/crowdstrike/1.3.3/docs/README.md b/packages/crowdstrike/1.3.3/docs/README.md deleted file mode 100755 index 77ec53e0b5..0000000000 --- a/packages/crowdstrike/1.3.3/docs/README.md +++ /dev/null @@ -1,1024 +0,0 @@ -# CrowdStrike Integration - -This integration is for [CrowdStrike](https://www.crowdstrike.com/resources/?cs_query=type=5) products. It includes the -following datasets for receiving logs: - -- `falcon` dataset: consists of endpoint data and Falcon platform audit data forwarded from [Falcon SIEM Connector](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/). -- `fdr` dataset: consists of logs forwarded using the [Falcon Data Replicator](https://github.com/CrowdStrike/FDR). - -## Compatibility - -This integration supports CrowdStrike Falcon SIEM-Connector-v2.0. - -## Logs - -### Falcon - -Contains endpoint data and CrowdStrike Falcon platform audit data forwarded from Falcon SIEM Connector. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | -| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty. | keyword | -| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| crowdstrike.event.AuditKeyValues | Fields that were changed in this event. | nested | -| crowdstrike.event.CommandLine | Executable path with command line arguments. | keyword | -| crowdstrike.event.Commands | Commands run in a remote session. | keyword | -| crowdstrike.event.ComputerName | Name of the computer where the detection occurred. | keyword | -| crowdstrike.event.ConnectionDirection | Direction for network connection. | keyword | -| crowdstrike.event.CustomerId | Customer identifier. | keyword | -| crowdstrike.event.DetectDescription | Description of the detection. | keyword | -| crowdstrike.event.DetectId | Unique ID associated with the detection. | keyword | -| crowdstrike.event.DetectName | Name of the detection. | keyword | -| crowdstrike.event.DeviceId | Device on which the event occurred. | keyword | -| crowdstrike.event.EndTimestamp | End time for the remote session in UTC UNIX format. | date | -| crowdstrike.event.EventType | CrowdStrike provided event type. | keyword | -| crowdstrike.event.ExecutablesWritten | Detected executables written to disk by a process. | nested | -| crowdstrike.event.FalconHostLink | URL to view the detection in Falcon. | keyword | -| crowdstrike.event.FileName | File name of the associated process for the detection. | keyword | -| crowdstrike.event.FilePath | Path of the executable associated with the detection. | keyword | -| crowdstrike.event.FineScore | Score for incident. | float | -| crowdstrike.event.Flags.Audit | CrowdStrike audit flag. | boolean | -| crowdstrike.event.Flags.Log | CrowdStrike log flag. | boolean | -| crowdstrike.event.Flags.Monitor | CrowdStrike monitor flag. | boolean | -| crowdstrike.event.GrandparentCommandLine | Grandparent process command line arguments. | keyword | -| crowdstrike.event.GrandparentImageFileName | Path to the grandparent process. | keyword | -| crowdstrike.event.HostName | Host name of the local machine. | keyword | -| crowdstrike.event.HostnameField | Host name of the machine for the remote session. | keyword | -| crowdstrike.event.ICMPCode | RFC2780 ICMP Code field. | keyword | -| crowdstrike.event.ICMPType | RFC2780 ICMP Type field. | keyword | -| crowdstrike.event.IOCType | CrowdStrike type for indicator of compromise. | keyword | -| crowdstrike.event.IOCValue | CrowdStrike value for indicator of compromise. | keyword | -| crowdstrike.event.ImageFileName | File name of the associated process for the detection. | keyword | -| crowdstrike.event.IncidentEndTime | End time for the incident in UTC UNIX format. | date | -| crowdstrike.event.IncidentStartTime | Start time for the incident in UTC UNIX format. | date | -| crowdstrike.event.Ipv | Protocol for network request. | keyword | -| crowdstrike.event.LateralMovement | Lateral movement field for incident. | long | -| crowdstrike.event.LocalAddress | IP address of local machine. | ip | -| crowdstrike.event.LocalIP | IP address of the host associated with the detection. | keyword | -| crowdstrike.event.LocalPort | Port of local machine. | long | -| crowdstrike.event.MACAddress | MAC address of the host associated with the detection. | keyword | -| crowdstrike.event.MD5String | MD5 sum of the executable associated with the detection. | keyword | -| crowdstrike.event.MachineDomain | Domain for the machine associated with the detection. | keyword | -| crowdstrike.event.MatchCount | Number of firewall rule matches. | long | -| crowdstrike.event.MatchCountSinceLastReport | Number of firewall rule matches since the last report. | long | -| crowdstrike.event.NetworkProfile | CrowdStrike network profile. | keyword | -| crowdstrike.event.Objective | Method of detection. | keyword | -| crowdstrike.event.OperationName | Event subtype. | keyword | -| crowdstrike.event.PID | Associated process id for the detection. | long | -| crowdstrike.event.ParentCommandLine | Parent process command line arguments. | keyword | -| crowdstrike.event.ParentImageFileName | Path to the parent process. | keyword | -| crowdstrike.event.ParentProcessId | Parent process ID related to the detection. | integer | -| crowdstrike.event.PatternDispositionDescription | Action taken by Falcon. | keyword | -| crowdstrike.event.PatternDispositionFlags.BootupSafeguardEnabled | | boolean | -| crowdstrike.event.PatternDispositionFlags.CriticalProcessDisabled | | boolean | -| crowdstrike.event.PatternDispositionFlags.Detect | | boolean | -| crowdstrike.event.PatternDispositionFlags.FsOperationBlocked | | boolean | -| crowdstrike.event.PatternDispositionFlags.InddetMask | | boolean | -| crowdstrike.event.PatternDispositionFlags.Indicator | | boolean | -| crowdstrike.event.PatternDispositionFlags.KillParent | | boolean | -| crowdstrike.event.PatternDispositionFlags.KillProcess | | boolean | -| crowdstrike.event.PatternDispositionFlags.KillSubProcess | | boolean | -| crowdstrike.event.PatternDispositionFlags.OperationBlocked | | boolean | -| crowdstrike.event.PatternDispositionFlags.PolicyDisabled | | boolean | -| crowdstrike.event.PatternDispositionFlags.ProcessBlocked | | boolean | -| crowdstrike.event.PatternDispositionFlags.QuarantineFile | | boolean | -| crowdstrike.event.PatternDispositionFlags.QuarantineMachine | | boolean | -| crowdstrike.event.PatternDispositionFlags.RegistryOperationBlocked | | boolean | -| crowdstrike.event.PatternDispositionFlags.Rooting | | boolean | -| crowdstrike.event.PatternDispositionFlags.SensorOnly | | boolean | -| crowdstrike.event.PatternDispositionValue | Unique ID associated with action taken. | integer | -| crowdstrike.event.PolicyID | CrowdStrike policy id. | keyword | -| crowdstrike.event.PolicyName | CrowdStrike policy name. | keyword | -| crowdstrike.event.ProcessEndTime | The process termination time in UTC UNIX_MS format. | date | -| crowdstrike.event.ProcessId | Process ID related to the detection. | integer | -| crowdstrike.event.ProcessStartTime | The process start time in UTC UNIX_MS format. | date | -| crowdstrike.event.Protocol | CrowdStrike provided protocol. | keyword | -| crowdstrike.event.RemoteAddress | IP address of remote machine. | ip | -| crowdstrike.event.RemotePort | Port of remote machine. | long | -| crowdstrike.event.RuleAction | Firewall rule action. | keyword | -| crowdstrike.event.RuleDescription | Firewall rule description. | keyword | -| crowdstrike.event.RuleFamilyID | Firewall rule family id. | keyword | -| crowdstrike.event.RuleGroupName | Firewall rule group name. | keyword | -| crowdstrike.event.RuleId | Firewall rule id. | keyword | -| crowdstrike.event.RuleName | Firewall rule name. | keyword | -| crowdstrike.event.SHA1String | SHA1 sum of the executable associated with the detection. | keyword | -| crowdstrike.event.SHA256String | SHA256 sum of the executable associated with the detection. | keyword | -| crowdstrike.event.SensorId | Unique ID associated with the Falcon sensor. | keyword | -| crowdstrike.event.ServiceName | Service associated with this event. | keyword | -| crowdstrike.event.SessionId | Session ID of the remote response session. | keyword | -| crowdstrike.event.Severity | Severity score of the detection. | integer | -| crowdstrike.event.SeverityName | Severity score text. | keyword | -| crowdstrike.event.StartTimestamp | Start time for the remote session in UTC UNIX format. | date | -| crowdstrike.event.State | Whether the incident summary is open and ongoing or closed. | keyword | -| crowdstrike.event.Status | CrowdStrike status. | keyword | -| crowdstrike.event.Success | Indicator of whether or not this event was successful. | boolean | -| crowdstrike.event.Tactic | MITRE tactic category of the detection. | keyword | -| crowdstrike.event.Technique | MITRE technique category of the detection. | keyword | -| crowdstrike.event.Timestamp | Firewall rule triggered timestamp. | date | -| crowdstrike.event.TreeID | CrowdStrike tree id. | keyword | -| crowdstrike.event.UTCTimestamp | Timestamp associated with this event in UTC UNIX format. | date | -| crowdstrike.event.UserId | Email address or user ID associated with the event. | keyword | -| crowdstrike.event.UserIp | IP address associated with the user. | keyword | -| crowdstrike.event.UserName | User name associated with the detection. | keyword | -| crowdstrike.metadata.customerIDString | Customer identifier | keyword | -| crowdstrike.metadata.eventCreationTime | The time this event occurred on the endpoint in UTC UNIX_MS format. | date | -| crowdstrike.metadata.eventType | DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent | keyword | -| crowdstrike.metadata.offset | Offset number that tracks the location of the event in stream. This is used to identify unique detection events. | integer | -| crowdstrike.metadata.version | Schema version | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.pid | Process id. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | -| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -An example event for `falcon` looks as following: - -```json -{ - "@timestamp": "2020-02-12T21:29:10.710Z", - "agent": { - "ephemeral_id": "cc9fb403-5b26-4fe7-aefc-41666b9f4575", - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "crowdstrike": { - "event": { - "AuditKeyValues": [ - { - "Key": "APIClientID", - "ValueString": "1234567890abcdefghijklmnopqr" - }, - { - "Key": "partition", - "ValueString": "0" - }, - { - "Key": "offset", - "ValueString": "-1" - }, - { - "Key": "appId", - "ValueString": "siem-connector-v2.0.0" - }, - { - "Key": "eventType", - "ValueString": "[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]" - } - ], - "OperationName": "streamStarted", - "ServiceName": "Crowdstrike Streaming API", - "Success": true, - "UTCTimestamp": "2020-02-12T21:29:10.000Z", - "UserId": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", - "UserIp": "10.10.0.8" - }, - "metadata": { - "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "eventCreationTime": "2020-02-12T21:29:10.710Z", - "eventType": "AuthActivityAuditEvent", - "offset": 0, - "version": "1.0" - } - }, - "data_stream": { - "dataset": "crowdstrike.falcon", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "authentication" - ], - "dataset": "crowdstrike.falcon", - "ingested": "2022-05-09T16:35:19Z", - "kind": "event", - "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 0,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581542950710,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"api-client-id:1234567890abcdefghijklmnopqrstuvwxyz\",\n \"UserIp\": \"10.10.0.8\",\n \"OperationName\": \"streamStarted\",\n \"ServiceName\": \"Crowdstrike Streaming API\",\n \"Success\": true,\n \"UTCTimestamp\": 1581542950,\n \"AuditKeyValues\": [\n {\n \"Key\": \"APIClientID\",\n \"ValueString\": \"1234567890abcdefghijklmnopqr\"\n },\n {\n \"Key\": \"partition\",\n \"ValueString\": \"0\"\n },\n {\n \"Key\": \"offset\",\n \"ValueString\": \"-1\"\n },\n {\n \"Key\": \"appId\",\n \"ValueString\": \"siem-connector-v2.0.0\"\n },\n {\n \"Key\": \"eventType\",\n \"ValueString\": \"[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]\"\n }\n ]\n }\n}", - "outcome": "success", - "type": [ - "change" - ] - }, - "event.action": "stream_started", - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/falcon-audit-events.log" - }, - "flags": [ - "multiline" - ], - "offset": 910 - }, - "message": "Crowdstrike Streaming API", - "related": { - "ip": [ - "10.10.0.8" - ], - "user": [ - "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" - ] - }, - "source": { - "ip": "10.10.0.8" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "crowdstrike-falcon" - ], - "user": { - "name": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" - } -} -``` - -### FDR - -The CrowdStrike Falcon Data Replicator (FDR) allows CrowdStrike users to replicate FDR data from CrowdStrike -managed S3 buckets. CrowdStrike writes notification events to a CrowdStrike managed SQS queue when new data is -available in S3. - -This integration can be used in two ways. It can consume SQS notifications directly from the CrowdStrike managed -SQS queue or it can be used in conjunction with the FDR tool that replicates the data to a self-managed S3 bucket -and the integration can read from there. - -In both cases SQS messages are deleted after they are processed. This allows you to operate more than one Elastic -Agent with this integration if needed and not have duplicate events, but it means you cannot ingest the data a second time. - -#### Use with CrowdStrike managed S3/SQS - -This is the simplest way to setup the integration, and also the default. - -You need to set the integration up with the SQS queue URL provided by Crowdstrike FDR. -Ensure the `Is FDR queue` option is enabled. - -#### Use with FDR tool and data replicated to a self-managed S3 bucket - -This option can be used if you want to archive the raw CrowdStrike data. - -You need to follow the steps below: - -- Create a S3 bucket to receive the logs. -- Create a SQS queue. -- Configure your S3 bucket to send object created notifications to your SQS queue. -- Follow the [FDR tool](https://github.com/CrowdStrike/FDR) instructions to replicate data to your own S3 bucket. -- Configure the integration to read from your self-managed SQS topic. -- Disable the `Is FDR queue` option in the integration. - -> NOTE: While the FDR tool can replicate the files from S3 to your local file system, this integration cannot read those files because they are gzip compressed, and the log file input does not support reading compressed files. - -#### Configuration for the S3 input - -AWS credentials are required for running this integration if you want to use the S3 input. - -##### Configuration parameters -* `access_key_id`: first part of access key. -* `secret_access_key`: second part of access key. -* `session_token`: required when using temporary security credentials. -* `credential_profile_name`: profile name in shared credentials file. -* `shared_credential_file`: directory of the shared credentials file. -* `endpoint`: URL of the entry point for an AWS web service. -* `role_arn`: AWS IAM Role to assume. - -##### Credential Types -There are three types of AWS credentials can be used: - -- access keys, -- temporary security credentials, and -- IAM role ARN. - -##### Access keys - -`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` are the two parts of access keys. -They are long-term credentials for an IAM user, or the AWS account root user. -Please see [AWS Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) -for more details. - -##### Temporary security credentials - -Temporary security credentials has a limited lifetime and consists of an -access key ID, a secret access key, and a security token which typically returned -from `GetSessionToken`. - -MFA-enabled IAM users would need to submit an MFA code -while calling `GetSessionToken`. `default_region` identifies the AWS Region -whose servers you want to send your first API request to by default. - -This is typically the Region closest to you, but it can be any Region. Please see -[Temporary Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) -for more details. - -`sts get-session-token` AWS CLI can be used to generate temporary credentials. -For example. with MFA-enabled: -```js -aws> sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email@example.com --duration-seconds 129600 --token-code 123456 -``` - -Because temporary security credentials are short term, after they expire, the -user needs to generate new ones and manually update the package configuration in -order to continue collecting `aws` metrics. - -This will cause data loss if the configuration is not updated with new credentials before the old ones expire. - -##### IAM role ARN - -An IAM role is an IAM identity that you can create in your account that has -specific permissions that determine what the identity can and cannot do in AWS. - -A role does not have standard long-term credentials such as a password or access -keys associated with it. Instead, when you assume a role, it provides you with -temporary security credentials for your role session. -IAM role Amazon Resource Name (ARN) can be used to specify which AWS IAM role to assume to generate -temporary credentials. - -Please see [AssumeRole API documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) for more details. - -##### Supported Formats -1. Use access keys: Access keys include `access_key_id`, `secret_access_key` -and/or `session_token`. -2. Use `role_arn`: `role_arn` is used to specify which AWS IAM role to assume - for generating temporary credentials. - If `role_arn` is given, the package will check if access keys are given. - If not, the package will check for credential profile name. - If neither is given, default credential profile will be used. - - Please make sure credentials are given under either a credential profile or - access keys. -3. Use `credential_profile_name` and/or `shared_credential_file`: - If `access_key_id`, `secret_access_key` and `role_arn` are all not given, then - the package will check for `credential_profile_name`. - If you use different credentials for different tools or applications, you can use profiles to - configure multiple access keys in the same configuration file. - If there is no `credential_profile_name` given, the default profile will be used. - `shared_credential_file` is optional to specify the directory of your shared - credentials file. - If it's empty, the default directory will be used. - In Windows, shared credentials file is at `C:\Users\\.aws\credentials`. - For Linux, macOS or Unix, the file locates at `~/.aws/credentials`. - Please see[Create Shared Credentials File](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/create-shared-credentials-file.html) - for more details. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| crowdstrike.AgentLoadFlags | | keyword | -| crowdstrike.AgentLocalTime | | date | -| crowdstrike.AgentTimeOffset | | float | -| crowdstrike.AgentVersion | | keyword | -| crowdstrike.AllocateVirtualMemoryCount | | long | -| crowdstrike.ApiReturnValue | | keyword | -| crowdstrike.ArchiveFileWrittenCount | | long | -| crowdstrike.AsepWrittenCount | | long | -| crowdstrike.AttemptNumber | | long | -| crowdstrike.AuthenticationId | | keyword | -| crowdstrike.AuthenticationPackage | | keyword | -| crowdstrike.AuthenticationUuid | | keyword | -| crowdstrike.AuthenticationUuidAsString | | keyword | -| crowdstrike.BinaryExecutableWrittenCount | | long | -| crowdstrike.BiosManufacturer | | keyword | -| crowdstrike.BiosReleaseDate | | date | -| crowdstrike.BiosVersion | | keyword | -| crowdstrike.BootArgs | | keyword | -| crowdstrike.BootTimeFunctionalityLevel | | keyword | -| crowdstrike.BoundedCount | | long | -| crowdstrike.BundleID | | keyword | -| crowdstrike.CLICreationCount | | long | -| crowdstrike.CallStackModuleNames | | keyword | -| crowdstrike.CallStackModuleNamesVersion | | version | -| crowdstrike.ChannelDiffStatus | | keyword | -| crowdstrike.ChannelId | | keyword | -| crowdstrike.ChannelVersion | | keyword | -| crowdstrike.ChannelVersionRequired | | keyword | -| crowdstrike.ChasisManufacturer | | keyword | -| crowdstrike.ChassisType | | keyword | -| crowdstrike.ClientComputerName | | keyword | -| crowdstrike.CompletionEventId | | keyword | -| crowdstrike.ConHostId | | keyword | -| crowdstrike.ConHostProcessId | | keyword | -| crowdstrike.ConfigBuild | | keyword | -| crowdstrike.ConfigIDBase | | keyword | -| crowdstrike.ConfigIDBuild | | keyword | -| crowdstrike.ConfigIDPlatform | | keyword | -| crowdstrike.ConfigStateData | | keyword | -| crowdstrike.ConfigStateHash | | keyword | -| crowdstrike.ConfigurationVersion | | keyword | -| crowdstrike.ConnectTime | | date | -| crowdstrike.ConnectType | | keyword | -| crowdstrike.ConnectionFlags | | keyword | -| crowdstrike.ContextProcessId | | keyword | -| crowdstrike.CpuClockSpeed | | keyword | -| crowdstrike.CpuFeaturesMask | | keyword | -| crowdstrike.CpuProcessorName | | keyword | -| crowdstrike.CpuSignature | | keyword | -| crowdstrike.CpuVendor | | keyword | -| crowdstrike.CreateProcessCount | | long | -| crowdstrike.CreateProcessType | | keyword | -| crowdstrike.CurrentFunctionalityLevel | | keyword | -| crowdstrike.CycleTime | | long | -| crowdstrike.DesiredAccess | | keyword | -| crowdstrike.DeviceId | | keyword | -| crowdstrike.DirectoryCreatedCount | | long | -| crowdstrike.DirectoryEnumeratedCount | | long | -| crowdstrike.DnsRequestCount | | long | -| crowdstrike.DocumentFileWrittenCount | | long | -| crowdstrike.DownloadPath | | keyword | -| crowdstrike.DownloadPort | | long | -| crowdstrike.DownloadServer | | keyword | -| crowdstrike.DualRequest | | keyword | -| crowdstrike.ELFSubType | | keyword | -| crowdstrike.EffectiveTransmissionClass | | keyword | -| crowdstrike.EnabledPrivilegesBitmask | | keyword | -| crowdstrike.Entitlements | | keyword | -| crowdstrike.ErrorCode | | keyword | -| crowdstrike.ErrorStatus | | keyword | -| crowdstrike.EtwRawThreadId | | long | -| crowdstrike.ExeAndServiceCount | | long | -| crowdstrike.ExecutableDeletedCount | | long | -| crowdstrike.FXFileSize | | keyword | -| crowdstrike.Facility | | keyword | -| crowdstrike.FailedConnectCount | | long | -| crowdstrike.FalconGroupingTags | | keyword | -| crowdstrike.FeatureExtractionVersion | | keyword | -| crowdstrike.FeatureVector | | keyword | -| crowdstrike.File | | keyword | -| crowdstrike.FileAttributes | | keyword | -| crowdstrike.FileDeletedCount | | long | -| crowdstrike.FileEcpBitmask | | keyword | -| crowdstrike.FileObject | | keyword | -| crowdstrike.FirmwareAnalysisEclConsumerInterfaceVersion | | keyword | -| crowdstrike.FirmwareAnalysisEclControlInterfaceVersion | | keyword | -| crowdstrike.FirstSeen | | date | -| crowdstrike.Flags | | keyword | -| crowdstrike.GenericFileWrittenCount | | long | -| crowdstrike.GrandParentBaseFileName | | keyword | -| crowdstrike.HostHiddenStatus | | keyword | -| crowdstrike.IOServiceClass | | keyword | -| crowdstrike.IOServiceName | | keyword | -| crowdstrike.IOServicePath | | keyword | -| crowdstrike.ImageSubsystem | | keyword | -| crowdstrike.InContext | | keyword | -| crowdstrike.InDiscards | | keyword | -| crowdstrike.InErrors | | keyword | -| crowdstrike.InMulticastPkts | | keyword | -| crowdstrike.InOctets | | keyword | -| crowdstrike.InUcastPkts | | keyword | -| crowdstrike.InUnknownProtos | | keyword | -| crowdstrike.Information | | keyword | -| crowdstrike.InjectedDllCount | | long | -| crowdstrike.InjectedThreadCount | | long | -| crowdstrike.IntegrityLevel | | keyword | -| crowdstrike.InterfaceAlias | | keyword | -| crowdstrike.InterfaceGuid | | keyword | -| crowdstrike.InterfaceIndex | | long | -| crowdstrike.InterfaceType | | keyword | -| crowdstrike.InterfaceVersion | | keyword | -| crowdstrike.IrpFlags | | keyword | -| crowdstrike.IsOnNetwork | | keyword | -| crowdstrike.IsOnRemovableDisk | | keyword | -| crowdstrike.IsTransactedFile | | keyword | -| crowdstrike.KernelTime | | long | -| crowdstrike.LfoUploadFlags | | keyword | -| crowdstrike.LightningLatencyState | | keyword | -| crowdstrike.Line | | keyword | -| crowdstrike.LogicalCoreCount | | long | -| crowdstrike.LoginSessionId | | keyword | -| crowdstrike.LogoffTime | | date | -| crowdstrike.LogonDomain | | keyword | -| crowdstrike.LogonId | | keyword | -| crowdstrike.LogonServer | | keyword | -| crowdstrike.LogonTime | | date | -| crowdstrike.LogonType | | keyword | -| crowdstrike.MLModelVersion | | keyword | -| crowdstrike.MachOSubType | | keyword | -| crowdstrike.MajorFunction | | keyword | -| crowdstrike.MajorVersion | | keyword | -| crowdstrike.Malicious | | keyword | -| crowdstrike.MaxThreadCount | | long | -| crowdstrike.MemoryTotal | | keyword | -| crowdstrike.MicrocodeSignature | | keyword | -| crowdstrike.MinorFunction | | keyword | -| crowdstrike.MinorVersion | | keyword | -| crowdstrike.MoboManufacturer | | keyword | -| crowdstrike.MoboProductName | | keyword | -| crowdstrike.ModelPrediction | | keyword | -| crowdstrike.ModuleLoadCount | | long | -| crowdstrike.NDRoot | | keyword | -| crowdstrike.NeighborList | | keyword | -| crowdstrike.NetLuidIndex | | long | -| crowdstrike.NetworkBindCount | | long | -| crowdstrike.NetworkCapableAsepWriteCount | | long | -| crowdstrike.NetworkCloseCount | | long | -| crowdstrike.NetworkConnectCount | | long | -| crowdstrike.NetworkConnectCountUdp | | long | -| crowdstrike.NetworkContainmentState | | keyword | -| crowdstrike.NetworkListenCount | | long | -| crowdstrike.NetworkModuleLoadCount | | long | -| crowdstrike.NetworkRecvAcceptCount | | long | -| crowdstrike.NewExecutableWrittenCount | | long | -| crowdstrike.NewFileIdentifier | | keyword | -| crowdstrike.OSVersionFileData | | keyword | -| crowdstrike.OSVersionFileName | | keyword | -| crowdstrike.OU | | keyword | -| crowdstrike.OperationFlags | | keyword | -| crowdstrike.Options | | keyword | -| crowdstrike.OutErrors | | keyword | -| crowdstrike.OutMulticastPkts | | keyword | -| crowdstrike.OutOctets | | keyword | -| crowdstrike.OutUcastPkts | | keyword | -| crowdstrike.Parameter1 | | keyword | -| crowdstrike.Parameter2 | | keyword | -| crowdstrike.Parameter3 | | keyword | -| crowdstrike.ParentAuthenticationId | | keyword | -| crowdstrike.PasswordLastSet | | keyword | -| crowdstrike.PciAttachmentState | | keyword | -| crowdstrike.PhysicalAddressLength | | long | -| crowdstrike.PhysicalCoreCount | | long | -| crowdstrike.PointerSize | | keyword | -| crowdstrike.PreviousConnectTime | | date | -| crowdstrike.PrivilegedProcessHandleCount | | long | -| crowdstrike.PrivilegesBitmask | | keyword | -| crowdstrike.ProcessCount | | long | -| crowdstrike.ProcessCreateFlags | | keyword | -| crowdstrike.ProcessParameterFlags | | keyword | -| crowdstrike.ProcessSxsFlags | | keyword | -| crowdstrike.ProcessorPackageCount | | long | -| crowdstrike.ProductType | | keyword | -| crowdstrike.ProtectVirtualMemoryCount | | long | -| crowdstrike.ProvisionState | | keyword | -| crowdstrike.PupAdwareConfidence | | keyword | -| crowdstrike.PupAdwareDecisionValue | | keyword | -| crowdstrike.QueueApcCount | | long | -| crowdstrike.RFMState | | keyword | -| crowdstrike.RGID | | keyword | -| crowdstrike.RUID | | keyword | -| crowdstrike.ReasonOfFunctionalityLevel | | keyword | -| crowdstrike.RegKeySecurityDecreasedCount | | long | -| crowdstrike.RemoteAccount | | keyword | -| crowdstrike.RemovableDiskFileWrittenCount | | long | -| crowdstrike.RequestType | | keyword | -| crowdstrike.RpcClientProcessId | | keyword | -| crowdstrike.RpcClientThreadId | | keyword | -| crowdstrike.RpcNestingLevel | | keyword | -| crowdstrike.RpcOpNum | | keyword | -| crowdstrike.RunDllInvocationCount | | long | -| crowdstrike.SVGID | | keyword | -| crowdstrike.SVUID | | keyword | -| crowdstrike.ScreenshotsTakenCount | | long | -| crowdstrike.ScriptEngineInvocationCount | | long | -| crowdstrike.SensorGroupingTags | | keyword | -| crowdstrike.SensorStateBitMap | | keyword | -| crowdstrike.ServiceDisplayName | | keyword | -| crowdstrike.ServiceEventCount | | long | -| crowdstrike.ServicePackMajor | | keyword | -| crowdstrike.SessionId | | keyword | -| crowdstrike.SessionProcessId | | keyword | -| crowdstrike.SetThreadContextCount | | long | -| crowdstrike.ShareAccess | | keyword | -| crowdstrike.SiteName | | keyword | -| crowdstrike.Size | | long | -| crowdstrike.SnapshotFileOpenCount | | long | -| crowdstrike.SourceFileName | | keyword | -| crowdstrike.SourceProcessId | | keyword | -| crowdstrike.SourceThreadId | | keyword | -| crowdstrike.Status | | keyword | -| crowdstrike.SubStatus | | keyword | -| crowdstrike.SuppressType | | keyword | -| crowdstrike.SuspectStackCount | | long | -| crowdstrike.SuspiciousCredentialModuleLoadCount | | long | -| crowdstrike.SuspiciousDnsRequestCount | | long | -| crowdstrike.SuspiciousFontLoadCount | | long | -| crowdstrike.SuspiciousRawDiskReadCount | | long | -| crowdstrike.SyntheticPR2Flags | | keyword | -| crowdstrike.SystemManufacturer | | keyword | -| crowdstrike.SystemProductName | | keyword | -| crowdstrike.SystemSerialNumber | | keyword | -| crowdstrike.SystemSku | | keyword | -| crowdstrike.SystemTableIndex | | long | -| crowdstrike.Tags | | keyword | -| crowdstrike.TargetFileName | | keyword | -| crowdstrike.TargetThreadId | | keyword | -| crowdstrike.Time | | date | -| crowdstrike.Timeout | | long | -| crowdstrike.TokenType | | keyword | -| crowdstrike.USN | | keyword | -| crowdstrike.UnixMode | | keyword | -| crowdstrike.UnsignedModuleLoadCount | | long | -| crowdstrike.UploadId | | keyword | -| crowdstrike.UserFlags | | keyword | -| crowdstrike.UserGroupsBitmask | | keyword | -| crowdstrike.UserLogoffType | | keyword | -| crowdstrike.UserLogonFlags | | keyword | -| crowdstrike.UserMemoryAllocateExecutableCount | | long | -| crowdstrike.UserMemoryAllocateExecutableRemoteCount | | long | -| crowdstrike.UserMemoryProtectExecutableCount | | long | -| crowdstrike.UserMemoryProtectExecutableRemoteCount | | long | -| crowdstrike.UserSid | | keyword | -| crowdstrike.UserTime | | long | -| crowdstrike.VerifiedCertificate | | keyword | -| crowdstrike.VnodeModificationType | | keyword | -| crowdstrike.VnodeType | | keyword | -| crowdstrike.VolumeAppearanceTime | | keyword | -| crowdstrike.VolumeBusName | | keyword | -| crowdstrike.VolumeBusPath | | keyword | -| crowdstrike.VolumeDeviceCharacteristics | | keyword | -| crowdstrike.VolumeDeviceInternal | | keyword | -| crowdstrike.VolumeDeviceModel | | keyword | -| crowdstrike.VolumeDeviceObjectFlags | | keyword | -| crowdstrike.VolumeDevicePath | | keyword | -| crowdstrike.VolumeDeviceProtocol | | keyword | -| crowdstrike.VolumeDeviceRevision | | keyword | -| crowdstrike.VolumeDeviceType | | keyword | -| crowdstrike.VolumeDriveLetter | | keyword | -| crowdstrike.VolumeFileSystemDevice | | keyword | -| crowdstrike.VolumeFileSystemDriver | | keyword | -| crowdstrike.VolumeFileSystemType | | keyword | -| crowdstrike.VolumeIsEncrypted | | keyword | -| crowdstrike.VolumeIsNetwork | | keyword | -| crowdstrike.VolumeMediaBSDMajor | | keyword | -| crowdstrike.VolumeMediaBSDMinor | | keyword | -| crowdstrike.VolumeMediaBSDName | | keyword | -| crowdstrike.VolumeMediaBSDUnit | | keyword | -| crowdstrike.VolumeMediaContent | | keyword | -| crowdstrike.VolumeMediaEjectable | | keyword | -| crowdstrike.VolumeMediaName | | keyword | -| crowdstrike.VolumeMediaPath | | keyword | -| crowdstrike.VolumeMediaRemovable | | keyword | -| crowdstrike.VolumeMediaSize | | keyword | -| crowdstrike.VolumeMediaUUID | | keyword | -| crowdstrike.VolumeMediaWhole | | keyword | -| crowdstrike.VolumeMediaWritable | | keyword | -| crowdstrike.VolumeMountPoint | | keyword | -| crowdstrike.VolumeName | | keyword | -| crowdstrike.VolumeRealDeviceName | | keyword | -| crowdstrike.VolumeSectorSize | | keyword | -| crowdstrike.VolumeType | | keyword | -| crowdstrike.VolumeUUID | | keyword | -| crowdstrike.WindowFlags | | keyword | -| crowdstrike.cid | | keyword | -| crowdstrike.name | | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.device | Device that is the source of the file. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.inode | Inode representing the file in the filesystem. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| host.geo.city_name | City name. | keyword | -| host.geo.continent_name | Name of the continent. | keyword | -| host.geo.country_name | Country name. | keyword | -| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| input.type | | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.address | | keyword | -| observer.geo.city_name | City name. | keyword | -| observer.geo.continent_name | Name of the continent. | keyword | -| observer.geo.country_iso_code | Country ISO code. | keyword | -| observer.geo.country_name | Country name. | keyword | -| observer.geo.location | Longitude and latitude. | geo_point | -| observer.geo.region_iso_code | Region ISO code. | keyword | -| observer.geo.region_name | Region name. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.serial_number | Observer serial number. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| os.version | Operating system version as a raw string. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.end | The time the process ended. | date | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.pgid | Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to. | long | -| process.pid | Process id. | long | -| process.start | The time the process started. | date | -| process.thread.id | Thread ID. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| process.uptime | Seconds the process has been up. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -An example event for `fdr` looks as following: - -```json -{ - "@timestamp": "2020-11-08T09:58:32.519Z", - "agent": { - "ephemeral_id": "8cb3a21e-5542-440a-a909-8a2f161001ba", - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "crowdstrike": { - "ConfigStateHash": "1763245019", - "DesiredAccess": "1179785", - "EffectiveTransmissionClass": "3", - "Entitlements": "15", - "FileAttributes": "0", - "FileObject": "18446670458156489088", - "Information": "1", - "IrpFlags": "2180", - "MajorFunction": "0", - "MinorFunction": "0", - "OperationFlags": "0", - "Options": "16777312", - "ShareAccess": "5", - "Status": "0", - "cid": "ffffffff30a3407dae27d0503611022d", - "name": "RansomwareOpenFileV4" - }, - "data_stream": { - "dataset": "crowdstrike.fdr", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "RansomwareOpenFile", - "agent_id_status": "verified", - "category": [ - "file" - ], - "created": "2020-11-08T17:07:22.091Z", - "dataset": "crowdstrike.fdr", - "id": "ffffffff-1111-11eb-9756-06fe7f8f682f", - "ingested": "2022-05-09T16:39:37Z", - "kind": "alert", - "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1763245019\",\"ContextProcessId\":\"1016182570608\",\"ContextThreadId\":\"37343520154472\",\"ContextTimeStamp\":\"1604829512.519\",\"DesiredAccess\":\"1179785\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"0\",\"FileIdentifier\":\"7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00\",\"FileObject\":\"18446670458156489088\",\"Information\":\"1\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"16777312\",\"ShareAccess\":\"5\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user11\\\\Downloads\\\\file.pptx\",\"aid\":\"ffffffffac4148947ed68497e89f3308\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"RansomwareOpenFile\",\"id\":\"ffffffff-1111-11eb-9756-06fe7f8f682f\",\"name\":\"RansomwareOpenFileV4\",\"timestamp\":\"1604855242091\"}", - "outcome": "success", - "timezone": "+00:00", - "type": [ - "access" - ] - }, - "file": { - "directory": "\\Device\\HarddiskVolume3\\Users\\user11\\Downloads", - "extension": "pptx", - "inode": "7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00", - "name": "file.pptx", - "path": "\\Device\\HarddiskVolume3\\Users\\user11\\Downloads\\file.pptx", - "type": "file" - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/fdr-sample.log" - }, - "offset": 95203 - }, - "observer": { - "address": "67.43.156.14", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.14", - "serial_number": "ffffffffac4148947ed68497e89f3308", - "type": "agent", - "vendor": "crowdstrike", - "version": "1007.3.0011603.1" - }, - "os": { - "type": "windows" - }, - "process": { - "entity_id": "1016182570608", - "thread": { - "id": 37343520154472 - } - }, - "related": { - "hash": [ - "1763245019" - ], - "hosts": [ - "67.43.156.14" - ], - "ip": [ - "67.43.156.14" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "crowdstrike-fdr" - ], - "url": { - "scheme": "http" - } -} -``` diff --git a/packages/crowdstrike/1.3.3/img/fdr-overview.png b/packages/crowdstrike/1.3.3/img/fdr-overview.png deleted file mode 100755 index a960bc3781..0000000000 Binary files a/packages/crowdstrike/1.3.3/img/fdr-overview.png and /dev/null differ diff --git a/packages/crowdstrike/1.3.3/img/logo-integrations-crowdstrike.svg b/packages/crowdstrike/1.3.3/img/logo-integrations-crowdstrike.svg deleted file mode 100755 index 1b2195a224..0000000000 --- a/packages/crowdstrike/1.3.3/img/logo-integrations-crowdstrike.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/crowdstrike/1.3.3/img/siem-alerts-cs.jpg b/packages/crowdstrike/1.3.3/img/siem-alerts-cs.jpg deleted file mode 100755 index b74edfe229..0000000000 Binary files a/packages/crowdstrike/1.3.3/img/siem-alerts-cs.jpg and /dev/null differ diff --git a/packages/crowdstrike/1.3.3/img/siem-events-cs.jpg b/packages/crowdstrike/1.3.3/img/siem-events-cs.jpg deleted file mode 100755 index 9839f73821..0000000000 Binary files a/packages/crowdstrike/1.3.3/img/siem-events-cs.jpg and /dev/null differ diff --git a/packages/crowdstrike/1.3.3/kibana/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f.json b/packages/crowdstrike/1.3.3/kibana/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f.json deleted file mode 100755 index a8960ff152..0000000000 --- a/packages/crowdstrike/1.3.3/kibana/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "attributes": { - "description": "Summarised overview for Crowdstrike FDR events.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"crowdstrike.fdr\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"0307e118-9fac-4923-ad6e-b588a8bd939f\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"geoField\\\":\\\"observer.geo.location\\\",\\\"filterByMapBounds\\\":true,\\\"scalingType\\\":\\\"CLUSTERS\\\",\\\"id\\\":\\\"4c8af7e5-4ec6-43de-84ea-8df092cea5f8\\\",\\\"type\\\":\\\"ES_SEARCH\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"tooltipProperties\\\":[],\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"topHitsSplitField\\\":\\\"\\\",\\\"topHitsSize\\\":1},\\\"id\\\":\\\"6b7c69d1-9248-4af3-b437-0abcef344b67\\\",\\\"label\\\":\\\"Agent locations\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":1}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"BLENDED_VECTOR\\\",\\\"joins\\\":[]},{\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"sourceGeoField\\\":\\\"source.geo.location\\\",\\\"destGeoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"0314931e-5e8d-4609-be8a-b478a6afed11\\\",\\\"type\\\":\\\"ES_PEW_PEW\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}]},\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#494193\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"minSize\\\":1,\\\"maxSize\\\":10,\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":true,\\\"sigma\\\":3}}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"id\\\":\\\"1b3c966b-6756-41dc-8875-a936e36dd0c2\\\",\\\"label\\\":\\\"Connections\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR\\\",\\\"joins\\\":[]}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15M\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":360,\"minLat\":-85.05113,\"minLon\":-360},\"mapCenter\":{\"lat\":25.7461,\"lon\":0,\"zoom\":0.73},\"openTOCDetails\":[]},\"gridData\":{\"h\":17,\"i\":\"26961648-cc31-4ed6-a378-698523307b21\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"26961648-cc31-4ed6-a378-698523307b21\",\"title\":\"Agents and connections\",\"type\":\"map\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1928976e-020d-48bd-9887-d9fd1925f69e\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1928976e-020d-48bd-9887-d9fd1925f69e\":{\"columnOrder\":[\"7aaadac8-55b7-4979-9bf1-b02a9673b502\",\"5ec733a8-d11d-472d-9328-3c48b41a17ac\"],\"columns\":{\"5ec733a8-d11d-472d-9328-3c48b41a17ac\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"7aaadac8-55b7-4979-9bf1-b02a9673b502\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top events\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5ec733a8-d11d-472d-9328-3c48b41a17ac\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"event.kind\",\"negate\":true,\"params\":{\"query\":\"alert\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"alert\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7aaadac8-55b7-4979-9bf1-b02a9673b502\",\"isTransposed\":false},{\"alignment\":\"center\",\"columnId\":\"5ec733a8-d11d-472d-9328-3c48b41a17ac\",\"isTransposed\":false,\"summaryRow\":\"none\"}],\"layerId\":\"1928976e-020d-48bd-9887-d9fd1925f69e\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"7564f2a4-7167-4d71-8ce2-ece32f217487\",\"w\":10,\"x\":16,\"y\":0},\"panelIndex\":\"7564f2a4-7167-4d71-8ce2-ece32f217487\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-085f4952-432b-4bd3-9740-e99f42a7877b\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"085f4952-432b-4bd3-9740-e99f42a7877b\":{\"columnOrder\":[\"20a2e92b-1ebe-4ed0-b3ab-b446bd60edfd\",\"0a3ada5d-923b-461b-8885-e7fdcd948034\"],\"columns\":{\"0a3ada5d-923b-461b-8885-e7fdcd948034\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"20a2e92b-1ebe-4ed0-b3ab-b446bd60edfd\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0a3ada5d-923b-461b-8885-e7fdcd948034\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"dns.question.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"DnsRequest\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"DnsRequest\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"20a2e92b-1ebe-4ed0-b3ab-b446bd60edfd\",\"isTransposed\":false},{\"alignment\":\"center\",\"columnId\":\"0a3ada5d-923b-461b-8885-e7fdcd948034\",\"isTransposed\":false}],\"layerId\":\"085f4952-432b-4bd3-9740-e99f42a7877b\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"396c3ab7-572c-41dc-af21-e8d3d6ad3fe0\",\"w\":9,\"x\":26,\"y\":9},\"panelIndex\":\"396c3ab7-572c-41dc-af21-e8d3d6ad3fe0\",\"title\":\"Top DNS queries\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-880420b9-97fb-4f5a-8dd2-36f95cb02182\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"880420b9-97fb-4f5a-8dd2-36f95cb02182\":{\"columnOrder\":[\"45f3413c-e658-43ec-bf3a-ad25977fb32c\",\"c90d7c88-034f-42f4-94d2-605ae294940e\"],\"columns\":{\"45f3413c-e658-43ec-bf3a-ad25977fb32c\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"user.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c90d7c88-034f-42f4-94d2-605ae294940e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"user.name\"},\"c90d7c88-034f-42f4-94d2-605ae294940e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"45f3413c-e658-43ec-bf3a-ad25977fb32c\",\"isTransposed\":false},{\"columnId\":\"c90d7c88-034f-42f4-94d2-605ae294940e\",\"hidden\":false,\"isTransposed\":false}],\"layerId\":\"880420b9-97fb-4f5a-8dd2-36f95cb02182\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"e48dfc31-ef5f-4696-904c-c5320e8dcac9\",\"w\":13,\"x\":35,\"y\":0},\"panelIndex\":\"e48dfc31-ef5f-4696-904c-c5320e8dcac9\",\"title\":\"Top users\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a3aa7199-d806-4c69-afd1-ae1cbfa7865e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a3aa7199-d806-4c69-afd1-ae1cbfa7865e\":{\"columnOrder\":[\"3f895fa6-e7e2-4ad8-83bc-e476954007b0\",\"ce4ef8ef-9113-46dc-9026-40fe66f609aa\"],\"columns\":{\"3f895fa6-e7e2-4ad8-83bc-e476954007b0\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of dns.question.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ce4ef8ef-9113-46dc-9026-40fe66f609aa\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"dns.question.type\"},\"ce4ef8ef-9113-46dc-9026-40fe66f609aa\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{},\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3f895fa6-e7e2-4ad8-83bc-e476954007b0\"],\"layerId\":\"a3aa7199-d806-4c69-afd1-ae1cbfa7865e\",\"legendDisplay\":\"default\",\"metric\":\"ce4ef8ef-9113-46dc-9026-40fe66f609aa\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":6,\"i\":\"757dd906-982e-437f-aac0-b090310b9288\",\"w\":9,\"x\":26,\"y\":20},\"panelIndex\":\"757dd906-982e-437f-aac0-b090310b9288\",\"title\":\"DNS query types\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c8088761-74a6-433a-a405-f26c709cebe3\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c8088761-74a6-433a-a405-f26c709cebe3\":{\"columnOrder\":[\"97e2d50d-d871-4922-b0f8-2d50b2ace84a\",\"bbbbf917-0caa-41ee-89dc-18ea0f8bcfe3\"],\"columns\":{\"97e2d50d-d871-4922-b0f8-2d50b2ace84a\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"file.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"bbbbf917-0caa-41ee-89dc-18ea0f8bcfe3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"file.name\"},\"bbbbf917-0caa-41ee-89dc-18ea0f8bcfe3\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"97e2d50d-d871-4922-b0f8-2d50b2ace84a\",\"isTransposed\":false},{\"columnId\":\"bbbbf917-0caa-41ee-89dc-18ea0f8bcfe3\",\"isTransposed\":false}],\"layerId\":\"c8088761-74a6-433a-a405-f26c709cebe3\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"355965cd-eb00-4357-bdd8-1640627d1191\",\"w\":13,\"x\":35,\"y\":12},\"panelIndex\":\"355965cd-eb00-4357-bdd8-1640627d1191\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-911bafb0-aeb7-4830-8a40-6166c96fb123\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"911bafb0-aeb7-4830-8a40-6166c96fb123\":{\"columnOrder\":[\"3c0eeb61-8b82-44b3-aba7-66c5b08fe8a9\",\"2c75b3a9-1b14-42d5-a8d0-44e461d4afab\"],\"columns\":{\"2c75b3a9-1b14-42d5-a8d0-44e461d4afab\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"3c0eeb61-8b82-44b3-aba7-66c5b08fe8a9\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"2c75b3a9-1b14-42d5-a8d0-44e461d4afab\"],\"layerId\":\"911bafb0-aeb7-4830-8a40-6166c96fb123\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"3c0eeb61-8b82-44b3-aba7-66c5b08fe8a9\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"0325f703-a3cc-4a43-b621-974baae08c00\",\"w\":26,\"x\":0,\"y\":17},\"panelIndex\":\"0325f703-a3cc-4a43-b621-974baae08c00\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-35e353f8-fd89-43a0-ad8c-c5d202f098d2\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"35e353f8-fd89-43a0-ad8c-c5d202f098d2\":{\"columnOrder\":[\"b00df131-3742-4fa3-8645-032847f0266b\",\"b89debc2-4203-43c7-ba15-6612030f67bd\"],\"columns\":{\"b00df131-3742-4fa3-8645-032847f0266b\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top alerts\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b89debc2-4203-43c7-ba15-6612030f67bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"},\"b89debc2-4203-43c7-ba15-6612030f67bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"alert\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"alert\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"crowdstrike.fdr\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"b00df131-3742-4fa3-8645-032847f0266b\",\"isTransposed\":false},{\"columnId\":\"b89debc2-4203-43c7-ba15-6612030f67bd\",\"isTransposed\":false}],\"layerId\":\"35e353f8-fd89-43a0-ad8c-c5d202f098d2\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"32c13eb0-f12d-44d8-8ec4-ea778840fabf\",\"w\":9,\"x\":26,\"y\":0},\"panelIndex\":\"32c13eb0-f12d-44d8-8ec4-ea778840fabf\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Crowdstrike] FDR Overview", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "26961648-cc31-4ed6-a378-698523307b21:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "26961648-cc31-4ed6-a378-698523307b21:layer_2_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7564f2a4-7167-4d71-8ce2-ece32f217487:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7564f2a4-7167-4d71-8ce2-ece32f217487:indexpattern-datasource-layer-1928976e-020d-48bd-9887-d9fd1925f69e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7564f2a4-7167-4d71-8ce2-ece32f217487:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "396c3ab7-572c-41dc-af21-e8d3d6ad3fe0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "396c3ab7-572c-41dc-af21-e8d3d6ad3fe0:indexpattern-datasource-layer-085f4952-432b-4bd3-9740-e99f42a7877b", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "396c3ab7-572c-41dc-af21-e8d3d6ad3fe0:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e48dfc31-ef5f-4696-904c-c5320e8dcac9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e48dfc31-ef5f-4696-904c-c5320e8dcac9:indexpattern-datasource-layer-880420b9-97fb-4f5a-8dd2-36f95cb02182", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "757dd906-982e-437f-aac0-b090310b9288:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "757dd906-982e-437f-aac0-b090310b9288:indexpattern-datasource-layer-a3aa7199-d806-4c69-afd1-ae1cbfa7865e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "355965cd-eb00-4357-bdd8-1640627d1191:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "355965cd-eb00-4357-bdd8-1640627d1191:indexpattern-datasource-layer-c8088761-74a6-433a-a405-f26c709cebe3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0325f703-a3cc-4a43-b621-974baae08c00:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0325f703-a3cc-4a43-b621-974baae08c00:indexpattern-datasource-layer-911bafb0-aeb7-4830-8a40-6166c96fb123", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "32c13eb0-f12d-44d8-8ec4-ea778840fabf:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "32c13eb0-f12d-44d8-8ec4-ea778840fabf:indexpattern-datasource-layer-35e353f8-fd89-43a0-ad8c-c5d202f098d2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "32c13eb0-f12d-44d8-8ec4-ea778840fabf:filter-index-pattern-0", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/crowdstrike/1.3.3/manifest.yml b/packages/crowdstrike/1.3.3/manifest.yml deleted file mode 100755 index be25d14211..0000000000 --- a/packages/crowdstrike/1.3.3/manifest.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: crowdstrike -title: CrowdStrike Logs -version: "1.3.3" -description: Collect and parse falcon logs from Crowdstrike products with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: [security] -release: ga -conditions: - kibana.version: "^7.17.0 || ^8.0.0" -icons: - - src: /img/logo-integrations-crowdstrike.svg - title: CrowdStrike - size: 216x216 - type: image/svg+xml -screenshots: - - src: /img/siem-alerts-cs.jpg - title: CrowdStrike SIEM Alerts - size: 3360x1776 - type: image/jpg - - src: /img/siem-events-cs.jpg - title: CrowdStrike SIEM Events - size: 3360x1776 - type: image/jpg - - src: /img/fdr-overview.png - title: CrowdStrike FDR Overview - size: 1535x626 - type: image/png -policy_templates: - - name: crowdstrike - title: CrowdStrike - description: Collect logs from CrowdStrike Falcon and FDR - inputs: - - type: logfile - title: "Collect CrowdStrike Falcon and FDR logs (input: logfile)" - description: "Collecting logs from CrowdStrike Falcon and FDR (input: logfile)" - - type: aws-s3 - title: "Collect CrowdStrike Falcon Data Replicator logs (input: aws-s3)" - description: "Collecting logs from CrowdStrike Falcon Data Replicator (input: aws-s3)" -owner: - github: elastic/security-external-integrations diff --git a/packages/cyberarkpas/2.4.1/changelog.yml b/packages/cyberarkpas/2.4.1/changelog.yml deleted file mode 100755 index 11744fcb8f..0000000000 --- a/packages/cyberarkpas/2.4.1/changelog.yml +++ /dev/null @@ -1,109 +0,0 @@ -# newer versions go on top -- version: "2.4.1" - changes: - - description: Update to readme. added link to vendor documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3222 -- version: "2.4.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "2.3.2" - changes: - - description: Fix error ingesting events with a single entry in the CAProperties field - type: bugfix - link: https://github.com/elastic/integrations/pull/2965 -- version: "2.3.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 - - description: Remove duplicated definition of `event.dataset` field. - type: bugfix - link: https://github.com/elastic/integrations/pull/2916 -- version: "2.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2400 -- version: "2.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "2.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "2.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2223 -- version: "2.1.4" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2024 -- version: "2.1.3" - changes: - - description: Remove dash from title for consistency with brand. - type: enhancement - link: https://github.com/elastic/integrations/pull/2004 -- version: "2.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1962 -- version: "2.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1814 -- version: "2.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1657 -- version: "2.0.0" - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1631 -- version: "1.2.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1474 -- version: '1.2.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1380 -- version: "1.2.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "1.2.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "1.1.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1260 -- version: "1.0.1" - changes: - - description: updating ECS version and adding event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1039 -- version: "1.0.0" - changes: - - description: initial release - type: enhancement - link: https://github.com/elastic/integrations/pull/928 diff --git a/packages/cyberarkpas/2.4.1/data_stream/audit/agent/stream/log.yml.hbs b/packages/cyberarkpas/2.4.1/data_stream/audit/agent/stream/log.yml.hbs deleted file mode 100755 index 4a720c1d38..0000000000 --- a/packages/cyberarkpas/2.4.1/data_stream/audit/agent/stream/log.yml.hbs +++ /dev/null @@ -1,20 +0,0 @@ -paths: -{{#each paths as |path i|}} -- {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/cyberarkpas/2.4.1/data_stream/audit/agent/stream/tcp.yml.hbs b/packages/cyberarkpas/2.4.1/data_stream/audit/agent/stream/tcp.yml.hbs deleted file mode 100755 index 63b1142efc..0000000000 --- a/packages/cyberarkpas/2.4.1/data_stream/audit/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,20 +0,0 @@ -tcp: -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/cyberarkpas/2.4.1/data_stream/audit/agent/stream/udp.yml.hbs b/packages/cyberarkpas/2.4.1/data_stream/audit/agent/stream/udp.yml.hbs deleted file mode 100755 index 3b9f36d9ca..0000000000 --- a/packages/cyberarkpas/2.4.1/data_stream/audit/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,17 +0,0 @@ -udp: -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/cyberarkpas/2.4.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/cyberarkpas/2.4.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index c12922ca45..0000000000 --- a/packages/cyberarkpas/2.4.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,1193 +0,0 @@ ---- -description: Pipeline for CyberArk PAS - -processors: - # - # Set ECS version. - # - - set: - field: ecs.version - value: '8.2.0' - - # - # Set event.original from message, unless reindexing. - # - - rename: - field: message - target_field: event.original - if: 'ctx.event?.original == null' - - # - # Parse syslog headers (if any) and extract JSON payload. - # - - grok: - field: event.original - patterns: - # RFC5424 from CyberArk. - # UseLegacySyslogFormat=No - # <5>1 2021-03-04T17:28:23Z VAULT {"format":"elastic","version":"1.0",...} - - "^<%{NONNEGINT:log.syslog.priority:long}>%{NONNEGINT} %{TIMESTAMP_ISO8601:_tmp.syslog_ts} %{SYSLOGHOST:_tmp.hostname} %{JSON_PAYLOAD:_tmp.payload}" - - # Legacy format. - # UseLegacySyslogFormat=Yes - # Mar 08 02:57:42 VAULT {"format":"elastic","version":"1.0",...} - - "^%{SYSLOGTIMESTAMP:_tmp.syslog_ts} %{SYSLOGHOST:_tmp.hostname} %{JSON_PAYLOAD:_tmp.payload}" - - # Catch-all mode, just JSON payload. - - "%{JSON_PAYLOAD:_tmp.payload}" - pattern_definitions: - JSON_PAYLOAD: '{"format":"elastic","version":"1.0",.*}' - on_failure: - - fail: - message: "unexpected event format: {{{_ingest.on_failure_message}}}" - - - json: - field: _tmp.payload - target_field: _tmp.json - on_failure: - - fail: - message: "malformed JSON event: {{{_ingest.on_failure_message}}}" - - - rename: - field: _tmp.json.syslog.audit_record - target_field: cyberarkpas.audit - on_failure: - - fail: - message: "unexpected event structure: {{{_ingest.on_failure_message}}}" - - - # - # Remove all empty fields - # - - script: - lang: painless - description: 'Removes empty audit fields' - source: >- - ctx.cyberarkpas.audit.entrySet().removeIf(entry -> entry.getValue() == ""); - - - rename: - field: _tmp.json.raw - target_field: cyberarkpas.audit.raw - ignore_missing: true - - # The following processors populate @timestamp from the different sources that can exist in an event. - # In the following order of precedence: - # - IsoTimestamp field (expected ISO8601). Present when new syslog format is used (rfc5424: yes). - # - Timestamp (expected MMM dd HH:mm:ss). Also present only when new syslog format is used. - # - Syslog header timestamp. Either ISO8601 or legacy MMM dd HH:mm:ss, depending on the syslog format in use. - # - Original @timestamp from Filebeat. - - date: - if: 'ctx.cyberarkpas.audit.IsoTimestamp != null' - field: cyberarkpas.audit.IsoTimestamp - target_field: _tmp.timestamp - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: "failed to parse ISO timestamp field: {{{cyberarkpas.audit.IsoTimestamp}}}: {{{_ingest.on_failure_message}}}" - - - date: - if: 'ctx._tmp.timestamp == null && ctx.cyberarkpas.audit.Timestamp != null' - field: cyberarkpas.audit.Timestamp - target_field: _tmp.timestamp - formats: - # This is the default format. - - 'MMM dd HH:mm:ss' - # Drop a few other formats in case the above fails. - - ISO8601 - - 'MMM d HH:mm:ss' - - "EEE MMM dd HH:mm:ss" - - "EEE MMM d HH:mm:ss" - - "MMM d HH:mm:ss z" - - "MMM dd HH:mm:ss z" - - "EEE MMM d HH:mm:ss z" - - "EEE MMM dd HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - "MMM dd yyyy HH:mm:ss" - - "EEE MMM d yyyy HH:mm:ss" - - "EEE MMM dd yyyy HH:mm:ss" - - "MMM d yyyy HH:mm:ss z" - - "MMM dd yyyy HH:mm:ss z" - - "EEE MMM d yyyy HH:mm:ss z" - - "EEE MMM dd yyyy HH:mm:ss z" - on_failure: - - append: - field: error.message - value: "failed to parse timestamp field: {{{cyberarkpas.audit.Timestamp}}}: {{{_ingest.on_failure_message}}}" - - - date: - if: 'ctx._tmp.timestamp == null && ctx._tmp.syslog_ts != null && ctx.event?.timezone == null' - field: _tmp.syslog_ts - target_field: _tmp.timestamp - formats: - # This is the default format. - - 'MMM dd HH:mm:ss' - # Drop a few other formats in case the above fails. - - ISO8601 - - 'MMM d HH:mm:ss' - - "EEE MMM dd HH:mm:ss" - - "EEE MMM d HH:mm:ss" - - "MMM d HH:mm:ss z" - - "MMM dd HH:mm:ss z" - - "EEE MMM d HH:mm:ss z" - - "EEE MMM dd HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - "MMM dd yyyy HH:mm:ss" - - "EEE MMM d yyyy HH:mm:ss" - - "EEE MMM dd yyyy HH:mm:ss" - - "MMM d yyyy HH:mm:ss z" - - "MMM dd yyyy HH:mm:ss z" - - "EEE MMM d yyyy HH:mm:ss z" - - "EEE MMM dd yyyy HH:mm:ss z" - on_failure: - - append: - field: error.message - value: "failed to parse legacy syslog timestamp: {{{_tmp.syslog_ts}}}: {{{_ingest.on_failure_message}}}" - - - date: - if: 'ctx._tmp.timestamp == null && ctx._tmp.syslog_ts != null && ctx.event?.timezone != null' - field: _tmp.syslog_ts - target_field: _tmp.timestamp - timezone: '{{{event.timezone}}}' - formats: - # This is the default format. - - 'MMM dd HH:mm:ss' - # Drop a few other formats in case the above fails. - - ISO8601 - - 'MMM d HH:mm:ss' - - "EEE MMM dd HH:mm:ss" - - "EEE MMM d HH:mm:ss" - - "MMM d HH:mm:ss z" - - "MMM dd HH:mm:ss z" - - "EEE MMM d HH:mm:ss z" - - "EEE MMM dd HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - "MMM dd yyyy HH:mm:ss" - - "EEE MMM d yyyy HH:mm:ss" - - "EEE MMM dd yyyy HH:mm:ss" - - "MMM d yyyy HH:mm:ss z" - - "MMM dd yyyy HH:mm:ss z" - - "EEE MMM d yyyy HH:mm:ss z" - - "EEE MMM dd yyyy HH:mm:ss z" - on_failure: - - append: - field: error.message - value: "failed to parse legacy syslog timestamp: {{{_tmp.syslog_ts}}}: {{{_ingest.on_failure_message}}}" - - - set: - field: '@timestamp' - value: '{{{_tmp.timestamp}}}' - ignore_empty_value: true - override: true - - # This script ensures that CAProperties.CAProperty is an array. - # When there's a single property, it is serialised as an object instead - # of a single element array. - - script: - lang: painless - description: "Converts CAProperties into an array if necessary" - source: > - def props = ctx.cyberarkpas?.audit?.CAProperties?.CAProperty; - if (props != null && props instanceof Map) { - ctx.cyberarkpas.audit.CAProperties.CAProperty = [ props ]; - } - - # This script converts the nested object under cyberarkpas.audit.CAProperties.CAProperty - # into an object under cyberarkpas.audit.CAProperties: - # - # input: - # "cyberarkpas.audit.CAProperties.CAProperty": [ - # { - # "Name": "PolicyID", - # "Value": "LINUX-SSH" - # }, - # { - # "Name": "UserName", - # "Value": "test12" - # } - # output: - # "cyberarkpas.audit.CAProperties": - # { - # "PolicyID": "LINUX-SSH", - # "UserName": "test12" - # } - - foreach: - field: cyberarkpas.audit.CAProperties.CAProperty - ignore_missing: true - processor: - set: - field: 'cyberarkpas.audit.CAProperties.{{{_ingest._value.Name}}}' - value: '{{{_ingest._value.Value}}}' - on_failure: - - append: - field: error.message - value: "failed to process CAProperties array: {{{_ingest.on_failure_message}}}" - - remove: - field: cyberarkpas.audit.CAProperties.CAProperty - ignore_missing: true - - # Parse key-value pairs at ExtraDetails: - # input: - # "cyberarkpas.audit.ExtraDetails": "Command=ls \"/var/tmp\";ConnectionComponentId=PSMP-SSH;DstHost=[...]", - # - # output: - # "cyberarkpas.audit.ExtraDetails": - # { - # "Command": "ls \"/var/tmp\"", - # "ConnectionComponentId": "PSMP-SSH", - # "DstHost": [...] - # - # The original string can contain escaped separators, \= and \; - - kv: - field: cyberarkpas.audit.ExtraDetails - field_split: '(? - String to_snake_case(String s) { - /* faster code path for strings that won't need an underscore */ - if (s.chars().skip(1).noneMatch(Character::isUpperCase)) { - return s.toLowerCase(); - } - int run = 0; - boolean first = true; - StringBuilder result = new StringBuilder(); - for (char c : s.toCharArray()) { - char o = Character.toLowerCase(c); - if (c != o) { - if (run == 0 && !first) { - result.append('_'); - } - run ++; - } else { - if (run > 1) { - char prev = result.charAt(result.length()-1); - result.setCharAt(result.length()-1, (char)'_'); - result.append(prev); - } - run = 0; - first = false; - } - result.append(o); - } - return result.toString(); - } - def keys_to_snake_case_recursive(Map object) { - return object.entrySet().stream().collect( - Collectors.toMap( - e -> to_snake_case(e.getKey()), - e -> e.getValue() instanceof Map? keys_to_snake_case_recursive(e.getValue()) : e.getValue() - ) - ); - } - ctx.cyberarkpas.audit = keys_to_snake_case_recursive(ctx.cyberarkpas.audit); - - # - # Convert rfc5424 field to boolean. - # - - script: - description: 'Converts the rfc5424 audit field to a boolean' - lang: painless - source: > - def value = ctx.cyberarkpas.audit.rfc5424; - ctx.cyberarkpas.audit["rfc5424"] = value == 'yes'; - - ######################################################## - # ECS enrichment - # - # All processors from this point use the snake_case form - # to access CyberArk fields. - ######################################################## - - - set: - field: event.kind - value: event - - - lowercase: - field: cyberarkpas.audit.action - target_field: event.action - ignore_missing: true - - # Severity to number - # - # Possible values: - # Info -> 0 - # Error -> 7 - # Critical -> 10 - - set: - field: event.severity - value: 2 - if: 'ctx.cyberarkpas.audit.severity == "Info"' - - set: - field: event.severity - value: 7 - if: 'ctx.cyberarkpas.audit.severity == "Error"' - - set: - field: event.severity - value: 10 - if: 'ctx.cyberarkpas.audit.severity == "Critical"' - - set: - field: event.type - value: error - if: 'ctx.event?.severity > 6' - - - rename: - field: cyberarkpas.audit.message_id - target_field: event.code - ignore_missing: true - - - set: - field: source.address - value: '{{{cyberarkpas.audit.station}}}' - ignore_empty_value: true - - - set: - field: destination.address - value: '{{{cyberarkpas.audit.gateway_station}}}' - ignore_empty_value: true - - - set: - field: file.path - value: '{{{cyberarkpas.audit.file}}}' - if: 'ctx.cyberarkpas.audit?.file != null' - - # - # Observer fields - # - - rename: - field: cyberarkpas.audit.vendor - target_field: observer.vendor - ignore_missing: true - - rename: - field: cyberarkpas.audit.product - target_field: observer.product - ignore_missing: true - - rename: - field: cyberarkpas.audit.version - target_field: observer.version - ignore_missing: true - - rename: - field: cyberarkpas.audit.hostname - target_field: observer.hostname - ignore_missing: true - # Use hostname from syslog if audit record's Hostname field is missing. - - rename: - field: _tmp.hostname - target_field: observer.hostname - ignore_missing: true - if: 'ctx.observer?.hostname == null' - # - # Enrichment based on message_id - # - # This script is overly complicated (read_field) because at this time - # there is no processor that allows to set one field from a source - # field using indirection (it is possible with rename, but that - # removes the original field). - # - # Once something like this is possible: - # set: - # target_field: '{{{_ingest.value.to}}}' - # copy_from: '{{{_ingest.value.from}}}' - # - # ... this script can be updated to just create two output lists, one - # for value-to pairs, another for value-from pairs. - # - - script: - lang: painless - description: 'ECS enrichment based on message_id' - params: - # 4 - User Authentication - # - # Always a failure. - "4": - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["authentication"] - - set: event.type - value: ["error"] - - set: event.action - value: "authentication_failure" - - set: event.outcome - value: "failure" - - # 7 - Logon - # - # User logged on to the PVWA. - "7": - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: [ "authentication", "session"] - - set: event.type - value: [ "start"] - - set: event.action - value: "authentication_success" - - set: event.outcome - value: "success" - - # 8 - Logoff - # - # User logged of from the PVWA. - "8": # Logoff - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: [ "authentication", "session"] - - set: event.type - value: ["end"] - - set: event.outcome - value: "success" - - # 19 - Full gateway connection. - "19": - - set: source.user.name - from: cyberarkpas.audit.source_user - - set: user.name - from: cyberarkpas.audit.source_user - - set: destination.user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["network"] - - set: event.type - value: ["start"] - - set: event.outcome - value: "success" - - # 22 - CPM Verify Password - # - # Password on a target host is verified. - "22": - # Address of device that hosts the account. - - set: destination.address - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - set: destination.user.name - from: cyberarkpas.audit.ca_properties.user_name - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["admin", "info"] - - # 23 - Action on closed safe - # - # Nothing remarkable. - # - # "23": - - # 24 - CPM Change Password - "24": - - set: destination.address # This could be host.* or user.target.* (doesn't exists). - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - set: user.target.name - from: cyberarkpas.audit.ca_properties.user_name - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["user", "change"] - - # 31 - CPM Reconcile Password - # - "31": - - set: destination.address # This could be host.* or user.target.* (doesn't exists). - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - set: user.target.name - from: cyberarkpas.audit.ca_properties.user_name - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["user", "change"] - - # 32 - Add Owner - # - # Change owner of a Safe. - # source_user performs the action, docs suggest otherwise. - "32": - - set: user.name - from: cyberarkpas.audit.issuer - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.category - value: ["iam"] # How to best model Vault/Safes? An IAM system? A Database? - - set: event.type - value: ["admin", "change"] - - set: event.outcome - value: "success" - - # 33 - Update Owner - # - # Same as above - "33": - - set: user.name - from: cyberarkpas.audit.issuer - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.category - value: ["iam"] # How to best model Vault/Safes? An IAM system? A Database? - - set: event.type - value: ["admin", "change"] - - set: event.outcome - value: "success" - - # 38 - CPM Verify Password Failed - # - # Like 22 but failed. - "38": - # Address of device that hosts the account. - - set: destination.address - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - value: "failure" - - set: event.reason - from: cyberarkpas.audit.ca_properties.cpm_error_details - - set: destination.user.name - from: cyberarkpas.audit.ca_properties.user_name - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["error"] - - # 50 - Store File - # - # I don't think it makes much sense to enrich Vault file events as "file" category. - # This will involve probably constructing a file.path prefixed by the safe name. - # Then these file events may be treated as file events in SIEM, which can have - # unwanted consequences. - # "50": - - # 57 - CPM Change Password Failed - "57": - - set: destination.address # This could be host.* or user.target.* (doesn't exists). - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - value: "failure" - - set: user.target.name - from: cyberarkpas.audit.ca_properties.user_name - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["user", "change", "error"] - - set: event.reason - from: cyberarkpas.audit.ca_properties.cpm_error_details - - # 60 - CPM Reconcile Password Failed - "60": - - set: destination.address # This could be host.* or user.target.* (doesn't exists). - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - value: "failure" - - set: user.target.name - from: cyberarkpas.audit.ca_properties.user_name - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["user", "change", "error"] - - set: event.reason - from: cyberarkpas.audit.ca_properties.cpm_error_details - - # 130 - CPM Disable Password - "130": - - set: event.outcome - value: "failure" - - set: user.target.name - from: cyberarkpas.audit.ca_properties.user_name - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["user", "change"] - - set: event.reason - from: cyberarkpas.audit.ca_properties.cpm_error_details - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - # 174 - Change User (untested) - "174": - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.type - value: ["user", "change"] - - set: event.category - value: ["iam"] - - set: event.outcome - value: "success" - - # 175 - Change Your User (untested) - "175": - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.type - value: ["user", "change"] - - set: event.category - value: ["iam"] - - set: event.outcome - value: "success" - - # 176 - Delete User (untested) - "176": - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.type - value: ["user", "deletion"] - - set: event.category - value: ["iam"] - - set: event.outcome - value: "success" - - # 177 - Delete Your User (untested) - "177": - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.type - value: ["user", "deletion"] - - set: event.category - value: ["iam"] - - set: event.outcome - value: "success" - - # 173 - Add User (alternative to 180, untested) - "173": - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.type - value: ["user", "creation"] - - set: event.category - value: ["iam"] - - set: event.outcome - value: "success" - - # 180 - Add User - "180": - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.type - value: ["user", "creation"] - - set: event.category - value: ["iam"] - - set: event.outcome - value: "success" - - # 295 - Retrieve Password succeeded - "295": - - set: destination.address - from: cyberarkpas.audit.ca_properties.address - - set: destination.user.name - from: cyberarkpas.audit.ca_properties.user_name - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["admin", "access"] - - set: event.outcome - value: "success" - - set: event.reason - from: cyberarkpas.audit.reason - - # 300 - PSM Connect - "300": - - set: destination.address - from: cyberarkpas.audit.extra_details.dst_host - - set: destination.user.name - from: cyberarkpas.audit.extra_details.user - - set: source.address - from: cyberarkpas.audit.extra_details.src_host - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: network.application - from: cyberarkpas.audit.extra_details.protocol - - set: event.category - value: ["session"] - - set: event.type - value: ["start"] - - set: event.outcome - value: "success" - - # 302 - PSM Disconnect - "302": - - set: destination.address - from: cyberarkpas.audit.extra_details.dst_host - - set: destination.user.name - from: cyberarkpas.audit.extra_details.user - - set: source.address - from: cyberarkpas.audit.extra_details.src_host - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: network.application - from: cyberarkpas.audit.extra_details.protocol - - set: _tmp.duration_hms - from: cyberarkpas.audit.extra_details.session_duration - - set: event.category - value: ["session"] - - set: event.type - value: ["end"] - - set: event.outcome - value: "success" - - # 308 - Use Password - "308": - - set: destination.address - from: cyberarkpas.audit.ca_properties.address - - set: destination.user.name - from: cyberarkpas.audit.ca_properties.user_name - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["admin", "access"] - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - set: event.reason - from: cyberarkpas.audit.reason - - # 309 - Undefined user logon - # - "309": - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["authentication"] - - set: event.type - value: ["error"] - - set: event.action - value: "authentication_failure" - - set: event.outcome - value: "failure" - - # 361 - Keystroke logging - "361": - - set: destination.address - from: cyberarkpas.audit.extra_details.dst_host - - set: destination.user.name - from: cyberarkpas.audit.extra_details.user - - set: source.address - from: cyberarkpas.audit.extra_details.src_host - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: network.application - from: cyberarkpas.audit.extra_details.protocol - - set: event.category - value: ["session"] - - set: event.type - value: ["info"] - - # 412 - Keystroke logging (same as 361?) - "412": - - set: destination.address - from: cyberarkpas.audit.extra_details.dst_host - - set: destination.user.name - from: cyberarkpas.audit.extra_details.user - - set: source.address - from: cyberarkpas.audit.extra_details.src_host - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: network.application - from: cyberarkpas.audit.extra_details.protocol - - set: event.category - value: ["session"] - - set: event.type - value: ["info"] - - # 359 - SQL Command - "359": - - set: destination.address - from: cyberarkpas.audit.extra_details.dst_host - - set: destination.user.name - from: cyberarkpas.audit.extra_details.user - - set: source.address - from: cyberarkpas.audit.extra_details.src_host - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: network.application - from: cyberarkpas.audit.extra_details.protocol - - set: event.category - value: ["database"] - - set: event.type - value: ["access"] - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - # 411 - Window Title - "411": - - set: destination.address - from: cyberarkpas.audit.extra_details.dst_host - - set: destination.user.name - from: cyberarkpas.audit.extra_details.user - - set: source.address - from: cyberarkpas.audit.extra_details.src_host - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: network.application - from: cyberarkpas.audit.extra_details.protocol - - set: process.pid - from: cyberarkpas.audit.extra_details.process_id - - set: process.name - from: cyberarkpas.audit.extra_details.process_name - - set: event.category - value: ["process"] - - set: event.type - value: ["access", "info"] - - # 414 - CPM Verify SSH Key - # - # SSH-key on a target host is verified. - "414": - # Address of device that hosts the account. - - set: destination.address - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - set: destination.user.name - from: cyberarkpas.audit.ca_properties.user_name - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["admin", "info"] - - # 428 - Retrieve SSH Key - "428": - - set: destination.address - from: cyberarkpas.audit.ca_properties.address - - set: destination.user.name - from: cyberarkpas.audit.ca_properties.user_name - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["admin", "access"] - - set: event.outcome - value: "success" - - set: event.reason - from: cyberarkpas.audit.reason - - source: > - def clone(def val) { - return val instanceof List? new ArrayList(val) : val; - } - def read_field(def map, String name) { - if (map == null || !(map instanceof Map)) return null; - int pos = name.indexOf("."); - return pos == -1? map[name] - : read_field(map[name.substring(0, pos)], name.substring(pos+1)); - } - String msgID = ctx.event?.code; - def actions = params.get(msgID); - if (actions == null) return; - List values = new ArrayList(); - for (def item : actions) { - def val = item.value; - if (val == null && (val = read_field(ctx, item.from)) == null || val == "") continue; - values.add([ - "to": item.set, - "value": clone(val) - ]); - } - if (!values.isEmpty()) ctx._tmp["values"] = values; - - - foreach: - field: _tmp.values - ignore_missing: true - processor: - set: - field: '{{{_ingest._value.to}}}' - copy_from: '_ingest._value.value' - ignore_empty_value: true - override: true - - # - # Force event.outcome: unknown in case it gets a value other than one of the allowed. - # - - set: - field: event.outcome - value: 'unknown' - if: 'ctx.event?.outcome != null && !["success", "failure"].contains(ctx.event.outcome)' - - - # - # Set event.duration from the session duration ("hh:mm:ss") present in some messages. - # - - script: - lang: painless - description: 'Set event.duration from the session duration ("hh:mm:ss")' - if: "ctx._tmp?.duration_hms != null" - source: > - long parse_hms(String s) { - long cur = 0, total = 0; - for (char c: s.toCharArray()) { - if (c >= (char)'0' && c <= (char)'9') { - cur = (cur*10) + (long)c - (char)'0'; - } else if (c == (char)':') { - total = (total + cur) * 60; - cur = 0; - } else { - return 0; - } - } - return total + cur; - } - long nanos = parse_hms(ctx._tmp.duration_hms) * 1000000000L; - ctx.event['duration'] = nanos; - - # - # Populate ip/domain fields from address. - # - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - on_failure: - - set: - field: source.domain - copy_from: source.address - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - set: - field: destination.domain - copy_from: destination.address - - # - # Populate related.ip - # - - append: - field: related.ip - value: '{{{source.ip}}}' - if: 'ctx.source?.ip != null' - allow_duplicates: false - - append: - field: related.ip - value: '{{{destination.ip}}}' - if: 'ctx.destination?.ip != null' - allow_duplicates: false - - append: - field: related.ip - value: '{{{cyberarkpas.audit.station}}}' - if: 'ctx.cyberarkpas.audit.station != null' - allow_duplicates: false - - append: - field: related.ip - value: '{{{cyberarkpas.audit.gateway_station}}}' - if: 'ctx.cyberarkpas.audit.gateway_station != null' - allow_duplicates: false - - # - # Populate related.user - # - - append: - field: related.user - value: '{{{user.name}}}' - if: 'ctx.user?.name != null' - allow_duplicates: false - - append: - field: related.user - value: '{{{source.user.name}}}' - if: 'ctx.source?.user?.name != null' - allow_duplicates: false - - append: - field: related.user - value: '{{{destination.user.name}}}' - if: 'ctx.destination?.user?.name != null' - allow_duplicates: false - - append: - field: related.user - value: '{{{user.target.name}}}' - if: 'ctx.user?.target?.name != null' - allow_duplicates: false - - # - # sometimes application is capitalized. - # - - lowercase: - field: network.application - ignore_missing: true - - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # - # Set host.name - # This sets host.name from observer.hostname when the original event from Filebeat didn't - # have a host.name. This is the case of forwarded events (the tag "forwarded" is present). - # - - set: - field: host.name - value: '{{{observer.hostname}}}' - ignore_empty_value: true - if: 'ctx.host?.name == null' - - - network_direction: - ignore_missing: true - internal_networks: - - loopback - - private - - unspecified - - - convert: - field: process.pid - type: long - ignore_missing: true - - # - # Save only interesting fields under extra_fields and ca_properties - # to prevent mapping explosion. Keep the rest under .other (type flattened). - # - - script: - lang: painless - description: Map interesting fields from ca_properties and extra_details. - params: - ca_properties: - - address - - cpm_disabled - - cpm_error_details - - cpm_status - - creation_method - - customer - - database - - device_type - - dual_account_status - - group_name - - in_process - - index - - last_fail_date - - last_success_change - - last_success_reconciliation - - last_success_verification - - last_task - - logon_domain - - policy_id - - port - - privcloud - - reset_immediately - - retries_count - - sequence_id - - tags - - user_dn - - user_name - - virtual_username - extra_details: - - ad_process_id - - ad_process_name - - application_type - - command - - connection_component_id - - dst_host - - logon_account - - managed_account - - process_id - - process_name - - protocol - - psmid - - session_duration - - session_id - - src_host - - username - source: > - Map audit = ctx.cyberarkpas.audit; - params.entrySet().stream().filter(e -> audit.containsKey(e.getKey())).forEach(lst -> { - Map base = audit[lst.getKey()], - selected = new HashMap(); - lst.getValue().stream().filter(fld -> base.containsKey(fld)).forEach(fld -> { - selected[fld] = base.remove(fld); - }); - selected['other'] = base; - audit[lst.getKey()] = selected; - }); - # - # Cleanup - # - - remove: - field: _tmp - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - remove: - field: _tmp - ignore_missing: true - - set: - field: event.kind - value: pipeline_error diff --git a/packages/cyberarkpas/2.4.1/data_stream/audit/fields/base-fields.yml b/packages/cyberarkpas/2.4.1/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 62b68b8872..0000000000 --- a/packages/cyberarkpas/2.4.1/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cyberarkpas -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cyberarkpas.audit -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/cyberarkpas/2.4.1/data_stream/audit/fields/beats.yml b/packages/cyberarkpas/2.4.1/data_stream/audit/fields/beats.yml deleted file mode 100755 index 9275638f93..0000000000 --- a/packages/cyberarkpas/2.4.1/data_stream/audit/fields/beats.yml +++ /dev/null @@ -1,15 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/cyberarkpas/2.4.1/data_stream/audit/fields/ecs.yml b/packages/cyberarkpas/2.4.1/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 7263db5b53..0000000000 --- a/packages/cyberarkpas/2.4.1/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,271 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Name of the module this data is coming from. - If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. - name: event.module - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword diff --git a/packages/cyberarkpas/2.4.1/data_stream/audit/fields/fields.yml b/packages/cyberarkpas/2.4.1/data_stream/audit/fields/fields.yml deleted file mode 100755 index df1d01fe1c..0000000000 --- a/packages/cyberarkpas/2.4.1/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,178 +0,0 @@ -- name: cyberarkpas.audit - type: group - fields: - - name: action - type: keyword - description: A description of the audit record. - - name: ca_properties - type: group - description: Account metadata. - fields: - - name: address - type: keyword - - name: cpm_disabled - type: keyword - - name: cpm_error_details - type: keyword - - name: cpm_status - type: keyword - - name: creation_method - type: keyword - - name: customer - type: keyword - - name: database - type: keyword - - name: device_type - type: keyword - - name: dual_account_status - type: keyword - - name: group_name - type: keyword - - name: in_process - type: keyword - - name: index - type: keyword - - name: last_fail_date - type: keyword - - name: last_success_change - type: keyword - - name: last_success_reconciliation - type: keyword - - name: last_success_verification - type: keyword - - name: last_task - type: keyword - - name: logon_domain - type: keyword - - name: policy_id - type: keyword - - name: port - type: keyword - - name: privcloud - type: keyword - - name: reset_immediately - type: keyword - - name: retries_count - type: keyword - - name: sequence_id - type: keyword - - name: tags - type: keyword - - name: user_dn - type: keyword - - name: user_name - type: keyword - - name: virtual_username - type: keyword - - name: other - type: flattened - - name: category - type: keyword - description: The category name (for category-related operations). - - name: desc - type: keyword - description: A static value that displays a description of the audit codes. - - name: extra_details - type: group - description: Specific extra details of the audit records. - fields: - - name: ad_process_id - type: keyword - - name: ad_process_name - type: keyword - - name: application_type - type: keyword - - name: command - type: keyword - - name: connection_component_id - type: keyword - - name: dst_host - type: keyword - - name: logon_account - type: keyword - - name: managed_account - type: keyword - - name: process_id - type: keyword - - name: process_name - type: keyword - - name: protocol - type: keyword - - name: psmid - type: keyword - - name: session_duration - type: keyword - - name: session_id - type: keyword - - name: src_host - type: keyword - - name: username - type: keyword - - name: other - type: flattened - - name: file - type: keyword - description: The name of the target file. - - name: gateway_station - type: ip - description: The IP of the web application machine (PVWA). - - name: hostname - type: keyword - description: The hostname, in upper case. - - name: iso_timestamp - type: date - description: The timestamp, in ISO Timestamp format (RFC 3339). - - name: issuer - type: keyword - description: The Vault user who wrote the audit. This is usually the user who performed the operation. - - name: location - type: keyword - description: The target Location (for Location operations). - ignore_above: 4096 - - name: message - type: keyword - description: A description of the audit records (same information as in the Desc field). - - name: message_id - type: keyword - description: The code ID of the audit records. - - name: product - type: keyword - description: A static value that represents the product. - - name: pvwa_details - type: flattened - description: Specific details of the PVWA audit records. - - name: raw - type: keyword - description: | - Raw XML for the original audit record. Only present when XSLT file has debugging enabled. - ignore_above: 4096 - - name: reason - type: text - description: The reason entered by the user. - - name: rfc5424 - type: boolean - description: Whether the syslog format complies with RFC5424. - - name: safe - type: keyword - description: The name of the target Safe. - - name: severity - type: keyword - description: The severity of the audit records. - - name: source_user - type: keyword - description: The name of the Vault user who performed the operation. - - name: station - type: ip - description: The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP. - - name: target_user - type: keyword - description: The name of the Vault user on which the operation was performed. - - name: timestamp - type: keyword - description: The timestamp, in MMM DD HH:MM:SS format. - - name: vendor - type: keyword - description: A static value that represents the vendor. - - name: version - type: keyword - description: A static value that represents the version of the Vault. diff --git a/packages/cyberarkpas/2.4.1/data_stream/audit/manifest.yml b/packages/cyberarkpas/2.4.1/data_stream/audit/manifest.yml deleted file mode 100755 index ef3df973f9..0000000000 --- a/packages/cyberarkpas/2.4.1/data_stream/audit/manifest.yml +++ /dev/null @@ -1,139 +0,0 @@ -type: logs -title: CyberArk PAS audit logs -streams: - - input: logfile - enabled: false - template_path: log.yml.hbs - title: CyberArk PAS audit logs - description: Collect CyberArk PAS audit logs from files. - vars: - - name: paths - type: text - title: Paths - multi: false - required: false - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cyberarkpas-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - enabled: true - template_path: tcp.yml.hbs - title: CyberArk PAS audit logs (TCP) - description: Collect CyberArk PAS audit logs using TCP input - vars: - - name: syslog_host - type: text - title: Syslog Host - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - multi: false - required: true - show_user: true - default: 9301 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cyberarkpas-audit - - forwarded - - name: ssl - type: yaml - title: TLS configuration - multi: false - required: false - show_user: true - description: Options for enabling TLS mode. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: udp - enabled: true - template_path: udp.yml.hbs - title: CyberArk PAS audit logs (UDP) - description: Collect CyberArk PAS audit logs using UDP input - vars: - - name: syslog_host - type: text - title: Syslog Host - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - multi: false - required: true - show_user: true - default: 9301 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cyberarkpas-audit - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cyberarkpas/2.4.1/data_stream/audit/sample_event.json b/packages/cyberarkpas/2.4.1/data_stream/audit/sample_event.json deleted file mode 100755 index fd888f6521..0000000000 --- a/packages/cyberarkpas/2.4.1/data_stream/audit/sample_event.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "@timestamp": "2021-03-08T18:07:51.000Z", - "agent": { - "ephemeral_id": "0c6c824f-931a-418f-9535-22af6210c402", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "cyberarkpas": { - "audit": { - "action": "Full Gateway Connection", - "desc": "Full Gateway Connection", - "gateway_station": "10.0.1.20", - "iso_timestamp": "2021-03-08T18:07:51Z", - "issuer": "Administrator", - "message": "Full Gateway Connection", - "rfc5424": true, - "severity": "Info", - "source_user": "PVWAGWUser", - "station": "127.0.0.1", - "timestamp": "Mar 08 10:07:51" - } - }, - "data_stream": { - "dataset": "cyberarkpas.audit", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.0.1.20", - "ip": "10.0.1.20", - "user": { - "name": "Administrator" - } - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "full gateway connection", - "agent_id_status": "verified", - "category": [ - "network" - ], - "code": "19", - "dataset": "cyberarkpas.audit", - "ingested": "2022-02-03T12:51:00Z", - "kind": "event", - "outcome": "success", - "severity": 2, - "timezone": "+00:00", - "type": [ - "start" - ] - }, - "host": { - "name": "VAULT" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.19.0.7:35950" - }, - "syslog": { - "priority": 5 - } - }, - "network": { - "direction": "internal" - }, - "observer": { - "hostname": "VAULT", - "product": "Vault", - "vendor": "Cyber-Ark", - "version": "11.7.0000" - }, - "related": { - "ip": [ - "127.0.0.1", - "10.0.1.20" - ], - "user": [ - "PVWAGWUser", - "Administrator" - ] - }, - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1", - "user": { - "name": "PVWAGWUser" - } - }, - "tags": [ - "cyberarkpas-audit", - "forwarded" - ], - "user": { - "name": "PVWAGWUser" - } -} \ No newline at end of file diff --git a/packages/cyberarkpas/2.4.1/docs/README.md b/packages/cyberarkpas/2.4.1/docs/README.md deleted file mode 100755 index 12fd2f9948..0000000000 --- a/packages/cyberarkpas/2.4.1/docs/README.md +++ /dev/null @@ -1,297 +0,0 @@ -# CyberArk Privileged Access Security - -The CyberArk Privileged Access Security integration collects audit logs from [CyberArk's Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/Portal/Content/Resources/_TopNav/cc_Portal.htm) server. -## Audit - -The `audit` dataset receives Vault Audit logs for User and Safe activities over the syslog protocol. - -### Vault Configuration - -Follow the steps under [Security Information and Event Management (SIEM) Applications](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) documentation to setup the integration: - -- Copy the [elastic-json-v1.0.xsl](https://raw.githubusercontent.com/elastic/beats/master/x-pack/filebeat/module/cyberarkpas/_meta/assets/elastic-json-v1.0.xsl) XSL Translator file to -the `Server\Syslog` folder. - -- Sample syslog configuration for `DBPARM.ini`: - -```ini -[SYSLOG] -UseLegacySyslogFormat=No -SyslogTranslatorFile=Syslog\elastic-json-v1.0.xsl -SyslogServerIP= -SyslogServerPort= -SyslogServerProtocol=TCP -``` - -For proper timestamping of events, it's recommended to use the newer RFC5424 Syslog format -(`UseLegacySyslogFormat=No`). To avoid event loss, use `TCP` or `TLS` protocols instead of `UDP`. - -### Example event - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2021-03-08T18:07:51.000Z", - "agent": { - "ephemeral_id": "0c6c824f-931a-418f-9535-22af6210c402", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "cyberarkpas": { - "audit": { - "action": "Full Gateway Connection", - "desc": "Full Gateway Connection", - "gateway_station": "10.0.1.20", - "iso_timestamp": "2021-03-08T18:07:51Z", - "issuer": "Administrator", - "message": "Full Gateway Connection", - "rfc5424": true, - "severity": "Info", - "source_user": "PVWAGWUser", - "station": "127.0.0.1", - "timestamp": "Mar 08 10:07:51" - } - }, - "data_stream": { - "dataset": "cyberarkpas.audit", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.0.1.20", - "ip": "10.0.1.20", - "user": { - "name": "Administrator" - } - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "full gateway connection", - "agent_id_status": "verified", - "category": [ - "network" - ], - "code": "19", - "dataset": "cyberarkpas.audit", - "ingested": "2022-02-03T12:51:00Z", - "kind": "event", - "outcome": "success", - "severity": 2, - "timezone": "+00:00", - "type": [ - "start" - ] - }, - "host": { - "name": "VAULT" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.19.0.7:35950" - }, - "syslog": { - "priority": 5 - } - }, - "network": { - "direction": "internal" - }, - "observer": { - "hostname": "VAULT", - "product": "Vault", - "vendor": "Cyber-Ark", - "version": "11.7.0000" - }, - "related": { - "ip": [ - "127.0.0.1", - "10.0.1.20" - ], - "user": [ - "PVWAGWUser", - "Administrator" - ] - }, - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1", - "user": { - "name": "PVWAGWUser" - } - }, - "tags": [ - "cyberarkpas-audit", - "forwarded" - ], - "user": { - "name": "PVWAGWUser" - } -} -``` - -**Exported fields** - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cyberarkpas.audit.action | A description of the audit record. | keyword | -| cyberarkpas.audit.ca_properties.address | | keyword | -| cyberarkpas.audit.ca_properties.cpm_disabled | | keyword | -| cyberarkpas.audit.ca_properties.cpm_error_details | | keyword | -| cyberarkpas.audit.ca_properties.cpm_status | | keyword | -| cyberarkpas.audit.ca_properties.creation_method | | keyword | -| cyberarkpas.audit.ca_properties.customer | | keyword | -| cyberarkpas.audit.ca_properties.database | | keyword | -| cyberarkpas.audit.ca_properties.device_type | | keyword | -| cyberarkpas.audit.ca_properties.dual_account_status | | keyword | -| cyberarkpas.audit.ca_properties.group_name | | keyword | -| cyberarkpas.audit.ca_properties.in_process | | keyword | -| cyberarkpas.audit.ca_properties.index | | keyword | -| cyberarkpas.audit.ca_properties.last_fail_date | | keyword | -| cyberarkpas.audit.ca_properties.last_success_change | | keyword | -| cyberarkpas.audit.ca_properties.last_success_reconciliation | | keyword | -| cyberarkpas.audit.ca_properties.last_success_verification | | keyword | -| cyberarkpas.audit.ca_properties.last_task | | keyword | -| cyberarkpas.audit.ca_properties.logon_domain | | keyword | -| cyberarkpas.audit.ca_properties.other | | flattened | -| cyberarkpas.audit.ca_properties.policy_id | | keyword | -| cyberarkpas.audit.ca_properties.port | | keyword | -| cyberarkpas.audit.ca_properties.privcloud | | keyword | -| cyberarkpas.audit.ca_properties.reset_immediately | | keyword | -| cyberarkpas.audit.ca_properties.retries_count | | keyword | -| cyberarkpas.audit.ca_properties.sequence_id | | keyword | -| cyberarkpas.audit.ca_properties.tags | | keyword | -| cyberarkpas.audit.ca_properties.user_dn | | keyword | -| cyberarkpas.audit.ca_properties.user_name | | keyword | -| cyberarkpas.audit.ca_properties.virtual_username | | keyword | -| cyberarkpas.audit.category | The category name (for category-related operations). | keyword | -| cyberarkpas.audit.desc | A static value that displays a description of the audit codes. | keyword | -| cyberarkpas.audit.extra_details.ad_process_id | | keyword | -| cyberarkpas.audit.extra_details.ad_process_name | | keyword | -| cyberarkpas.audit.extra_details.application_type | | keyword | -| cyberarkpas.audit.extra_details.command | | keyword | -| cyberarkpas.audit.extra_details.connection_component_id | | keyword | -| cyberarkpas.audit.extra_details.dst_host | | keyword | -| cyberarkpas.audit.extra_details.logon_account | | keyword | -| cyberarkpas.audit.extra_details.managed_account | | keyword | -| cyberarkpas.audit.extra_details.other | | flattened | -| cyberarkpas.audit.extra_details.process_id | | keyword | -| cyberarkpas.audit.extra_details.process_name | | keyword | -| cyberarkpas.audit.extra_details.protocol | | keyword | -| cyberarkpas.audit.extra_details.psmid | | keyword | -| cyberarkpas.audit.extra_details.session_duration | | keyword | -| cyberarkpas.audit.extra_details.session_id | | keyword | -| cyberarkpas.audit.extra_details.src_host | | keyword | -| cyberarkpas.audit.extra_details.username | | keyword | -| cyberarkpas.audit.file | The name of the target file. | keyword | -| cyberarkpas.audit.gateway_station | The IP of the web application machine (PVWA). | ip | -| cyberarkpas.audit.hostname | The hostname, in upper case. | keyword | -| cyberarkpas.audit.iso_timestamp | The timestamp, in ISO Timestamp format (RFC 3339). | date | -| cyberarkpas.audit.issuer | The Vault user who wrote the audit. This is usually the user who performed the operation. | keyword | -| cyberarkpas.audit.location | The target Location (for Location operations). | keyword | -| cyberarkpas.audit.message | A description of the audit records (same information as in the Desc field). | keyword | -| cyberarkpas.audit.message_id | The code ID of the audit records. | keyword | -| cyberarkpas.audit.product | A static value that represents the product. | keyword | -| cyberarkpas.audit.pvwa_details | Specific details of the PVWA audit records. | flattened | -| cyberarkpas.audit.raw | Raw XML for the original audit record. Only present when XSLT file has debugging enabled. | keyword | -| cyberarkpas.audit.reason | The reason entered by the user. | text | -| cyberarkpas.audit.rfc5424 | Whether the syslog format complies with RFC5424. | boolean | -| cyberarkpas.audit.safe | The name of the target Safe. | keyword | -| cyberarkpas.audit.severity | The severity of the audit records. | keyword | -| cyberarkpas.audit.source_user | The name of the Vault user who performed the operation. | keyword | -| cyberarkpas.audit.station | The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP. | ip | -| cyberarkpas.audit.target_user | The name of the Vault user on which the operation was performed. | keyword | -| cyberarkpas.audit.timestamp | The timestamp, in MMM DD HH:MM:SS format. | keyword | -| cyberarkpas.audit.vendor | A static value that represents the vendor. | keyword | -| cyberarkpas.audit.version | A static value that represents the version of the Vault. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | - diff --git a/packages/cyberarkpas/2.4.1/img/filebeat-cyberarkpas-overview.png b/packages/cyberarkpas/2.4.1/img/filebeat-cyberarkpas-overview.png deleted file mode 100755 index 768de75855..0000000000 Binary files a/packages/cyberarkpas/2.4.1/img/filebeat-cyberarkpas-overview.png and /dev/null differ diff --git a/packages/cyberarkpas/2.4.1/img/logo.svg b/packages/cyberarkpas/2.4.1/img/logo.svg deleted file mode 100755 index 04930adfd8..0000000000 --- a/packages/cyberarkpas/2.4.1/img/logo.svg +++ /dev/null @@ -1 +0,0 @@ -Asset 25 diff --git a/packages/cyberarkpas/2.4.1/kibana/dashboard/cyberarkpas-eb12ef60-96f6-11eb-bbf8-d77aef8ad7a6.json b/packages/cyberarkpas/2.4.1/kibana/dashboard/cyberarkpas-eb12ef60-96f6-11eb-bbf8-d77aef8ad7a6.json deleted file mode 100755 index 878b317f1f..0000000000 --- a/packages/cyberarkpas/2.4.1/kibana/dashboard/cyberarkpas-eb12ef60-96f6-11eb-bbf8-d77aef8ad7a6.json +++ /dev/null @@ -1,160 +0,0 @@ -{ - "attributes": { - "description": "Dashboard for CyberArk Privileged Access Security events.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cyberarkpas.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cyberarkpas.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"observer.hostname\",\"id\":\"1617726994032\",\"indexPattern\":\"logs-*\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\" By Vault host\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"event.code\",\"id\":\"1617811797137\",\"indexPattern\":\"logs-*\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"By event code\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":false},\"title\":\"\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"1007fa0d-a6a1-4682-a346-a90acc179da5\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"1007fa0d-a6a1-4682-a346-a90acc179da5\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"cyberarkpas.audit\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"hide_in_legend\":0,\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"rainbow\",\"params\":{\"colors\":[\"#68BC00\",\"#009CE0\",\"#B0BC00\",\"#16A5A5\",\"#D33115\",\"#E27300\",\"#FCC400\",\"#7B64FF\",\"#FA28FF\",\"#333333\",\"#808080\",\"#194D33\",\"#0062B1\",\"#808900\",\"#0C797D\",\"#9F0500\",\"#C45100\",\"#FB9E00\",\"#653294\",\"#AB149E\",\"#0F1419\",\"#666666\"],\"gradient\":false},\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":null,\"split_mode\":\"terms\",\"stacked\":\"stacked\",\"terms_field\":\"cyberarkpas.audit.desc\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":13,\"i\":\"f2dc3750-9b7c-4b0e-a45d-3d3b08f74f3e\",\"w\":38,\"x\":10,\"y\":0},\"panelIndex\":\"f2dc3750-9b7c-4b0e-a45d-3d3b08f74f3e\",\"title\":\"event types by time\",\"type\":\"visualization\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-33bc0096-e418-4f81-9c7c-7fdd16cc5203\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"33bc0096-e418-4f81-9c7c-7fdd16cc5203\":{\"columnOrder\":[\"eedd5aa8-a7c4-466a-b10b-3a8cba3bac12\"],\"columns\":{\"eedd5aa8-a7c4-466a-b10b-3a8cba3bac12\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\" \",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eedd5aa8-a7c4-466a-b10b-3a8cba3bac12\",\"layerId\":\"33bc0096-e418-4f81-9c7c-7fdd16cc5203\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":4,\"i\":\"af9e9f0b-a40c-411e-b441-2a779983ed24\",\"w\":10,\"x\":0,\"y\":9},\"panelIndex\":\"af9e9f0b-a40c-411e-b441-2a779983ed24\",\"title\":\"Count of events\",\"type\":\"lens\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-de047c06-a965-47aa-8a15-8b0266d5abc3\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"de047c06-a965-47aa-8a15-8b0266d5abc3\":{\"columnOrder\":[\"b916e5f5-a64a-49f1-b37a-ee1825fc61a4\",\"3effd03e-0ed9-4e2d-ba8e-d77ae505092e\"],\"columns\":{\"3effd03e-0ed9-4e2d-ba8e-d77ae505092e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b916e5f5-a64a-49f1-b37a-ee1825fc61a4\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.outcome\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"3effd03e-0ed9-4e2d-ba8e-d77ae505092e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.outcome\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b916e5f5-a64a-49f1-b37a-ee1825fc61a4\"],\"layerId\":\"de047c06-a965-47aa-8a15-8b0266d5abc3\",\"legendDisplay\":\"default\",\"metric\":\"3effd03e-0ed9-4e2d-ba8e-d77ae505092e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"7031905a-92ab-4e0e-aa58-72f1c07ff409\",\"w\":10,\"x\":0,\"y\":13},\"panelIndex\":\"7031905a-92ab-4e0e-aa58-72f1c07ff409\",\"title\":\"Breakdown by outcome\",\"type\":\"lens\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-19858811-84d1-4f50-901c-dc1451972324\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"19858811-84d1-4f50-901c-dc1451972324\":{\"columnOrder\":[\"81dcff19-b14a-4e4b-999e-dbbcbdfdf816\",\"e3526253-18e0-4122-b112-ee5b4b9e23d7\"],\"columns\":{\"81dcff19-b14a-4e4b-999e-dbbcbdfdf816\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.user.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"type\":\"alphabetical\"},\"orderDirection\":\"asc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.user.name\"},\"e3526253-18e0-4122-b112-ee5b4b9e23d7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cyberarkpas.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cyberarkpas.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"308\",\"22\",\"319\",\"295\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"308\"}},{\"match_phrase\":{\"event.code\":\"22\"}},{\"match_phrase\":{\"event.code\":\"319\"}},{\"match_phrase\":{\"event.code\":\"295\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"81dcff19-b14a-4e4b-999e-dbbcbdfdf816\",\"81dcff19-b14a-4e4b-999e-dbbcbdfdf816\",\"81dcff19-b14a-4e4b-999e-dbbcbdfdf816\",\"81dcff19-b14a-4e4b-999e-dbbcbdfdf816\",\"81dcff19-b14a-4e4b-999e-dbbcbdfdf816\",\"81dcff19-b14a-4e4b-999e-dbbcbdfdf816\"],\"layerId\":\"19858811-84d1-4f50-901c-dc1451972324\",\"legendDisplay\":\"default\",\"metric\":\"e3526253-18e0-4122-b112-ee5b4b9e23d7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"a24b9c0c-da95-4016-9fe5-2c0d34005832\",\"w\":11,\"x\":10,\"y\":13},\"panelIndex\":\"a24b9c0c-da95-4016-9fe5-2c0d34005832\",\"title\":\"Top 10 user credentials accessed\",\"type\":\"lens\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-50325938-6a9e-4a26-946e-4468e68c6591\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"50325938-6a9e-4a26-946e-4468e68c6591\":{\"columnOrder\":[\"8a965540-daa1-4848-80bb-96ddf53a328f\",\"c05a39ad-2983-4f4a-900d-a939ecbda504\",\"a808a872-71b5-4a76-a939-354f68991881\"],\"columns\":{\"8a965540-daa1-4848-80bb-96ddf53a328f\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.outcome\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a808a872-71b5-4a76-a939-354f68991881\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":2},\"scale\":\"ordinal\",\"sourceField\":\"event.outcome\"},\"a808a872-71b5-4a76-a939-354f68991881\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Credentials accessed\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c05a39ad-2983-4f4a-900d-a939ecbda504\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cyberarkpas.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cyberarkpas.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"308\",\"22\",\"319\",\"295\",\"38\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"308\"}},{\"match_phrase\":{\"event.code\":\"22\"}},{\"match_phrase\":{\"event.code\":\"319\"}},{\"match_phrase\":{\"event.code\":\"295\"}},{\"match_phrase\":{\"event.code\":\"38\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"layers\":[{\"accessors\":[\"a808a872-71b5-4a76-a939-354f68991881\"],\"layerId\":\"50325938-6a9e-4a26-946e-4468e68c6591\",\"position\":\"top\",\"seriesType\":\"area_stacked\",\"showGridlines\":false,\"splitAccessor\":\"8a965540-daa1-4848-80bb-96ddf53a328f\",\"xAccessor\":\"c05a39ad-2983-4f4a-900d-a939ecbda504\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"area_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"1dc68cc6-e1b3-43ea-9b0e-f423d194b99a\",\"w\":27,\"x\":21,\"y\":13},\"panelIndex\":\"1dc68cc6-e1b3-43ea-9b0e-f423d194b99a\",\"title\":\"Credential access by time\",\"type\":\"lens\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-105faf70-8330-46b3-a82a-573a383068fa\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"105faf70-8330-46b3-a82a-573a383068fa\":{\"columnOrder\":[\"c51d6847-2fcc-4d13-a44f-49786cb979ed\",\"d73b823b-ae68-4e73-bbe2-90a35bc825e7\",\"c0147524-accc-4dee-a4fc-44199e3459f1\"],\"columns\":{\"c0147524-accc-4dee-a4fc-44199e3459f1\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Authentications\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c51d6847-2fcc-4d13-a44f-49786cb979ed\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Users\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c0147524-accc-4dee-a4fc-44199e3459f1\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":8},\"scale\":\"ordinal\",\"sourceField\":\"user.name\"},\"d73b823b-ae68-4e73-bbe2-90a35bc825e7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.outcome\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"type\":\"alphabetical\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":2},\"scale\":\"ordinal\",\"sourceField\":\"event.outcome\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"event.category\",\"negate\":false,\"params\":[\"authentication\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.category\":\"authentication\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"layers\":[{\"accessors\":[\"c0147524-accc-4dee-a4fc-44199e3459f1\"],\"layerId\":\"105faf70-8330-46b3-a82a-573a383068fa\",\"palette\":{\"name\":\"status\",\"type\":\"palette\"},\"position\":\"top\",\"seriesType\":\"bar_horizontal_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d73b823b-ae68-4e73-bbe2-90a35bc825e7\",\"xAccessor\":\"c51d6847-2fcc-4d13-a44f-49786cb979ed\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"showSingleSeries\":false},\"preferredSeriesType\":\"bar_horizontal_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":23,\"i\":\"c56b3e4d-bfb6-4b06-a62b-282753b85f7a\",\"w\":15,\"x\":0,\"y\":26},\"panelIndex\":\"c56b3e4d-bfb6-4b06-a62b-282753b85f7a\",\"title\":\"Vault Authentication attempts\",\"type\":\"lens\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"id\\\":null,\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"a3734143-d6e1-4551-b0b1-8282a37e151b\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"label\\\":\\\"logs-* | Source Point\\\",\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"geoField\\\":\\\"source.geo.location\\\",\\\"scalingType\\\":\\\"TOP_HITS\\\",\\\"topHitsSplitField\\\":\\\"source.ip\\\",\\\"tooltipProperties\\\":[\\\"host.name\\\",\\\"source.ip\\\",\\\"source.domain\\\",\\\"source.geo.country_iso_code\\\",\\\"source.as.organization.name\\\"],\\\"id\\\":\\\"5f2b25a1-01ea-45ca-a4a2-f1a670c3b149\\\",\\\"type\\\":\\\"ES_SEARCH\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"filterByMapBounds\\\":true,\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"topHitsSize\\\":22},\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"home\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#6092C0\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":2}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":8}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"icon\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"id\\\":\\\"2ad8e318-4ef4-4e89-94f2-f37e395c488c\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"type\\\":\\\"VECTOR\\\",\\\"joins\\\":[]},{\\\"label\\\":\\\"logs-* | Destination point\\\",\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"scalingType\\\":\\\"TOP_HITS\\\",\\\"topHitsSplitField\\\":\\\"destination.ip\\\",\\\"tooltipProperties\\\":[\\\"host.name\\\",\\\"destination.ip\\\",\\\"destination.domain\\\",\\\"destination.geo.country_iso_code\\\",\\\"destination.as.organization.name\\\"],\\\"id\\\":\\\"bc95f479-964f-4498-be1e-376d34a01b0a\\\",\\\"type\\\":\\\"ES_SEARCH\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"filterByMapBounds\\\":true,\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"topHitsSize\\\":35},\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#D36086\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":2}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":8}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"icon\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"id\\\":\\\"dbb878c8-4039-49f1-b2ff-ab7fb942ba55\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"type\\\":\\\"VECTOR\\\",\\\"joins\\\":[]},{\\\"label\\\":\\\"logs-* | Line\\\",\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"sourceGeoField\\\":\\\"source.geo.location\\\",\\\"destGeoField\\\":\\\"destination.geo.location\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"},{\\\"type\\\":\\\"sum\\\",\\\"field\\\":\\\"destination.bytes\\\"}],\\\"id\\\":\\\"faf6884d-b7cb-41dd-ab86-95970d7c59d2\\\",\\\"type\\\":\\\"ES_PEW_PEW\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true},\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#6092C0\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"minSize\\\":1,\\\"maxSize\\\":8,\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":true,\\\"sigma\\\":3}}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"id\\\":\\\"9c450fbf-b009-4b53-9810-2f47ca8dcfa8\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"type\\\":\\\"VECTOR\\\",\\\"joins\\\":[]}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.24,\\\"center\\\":{\\\"lon\\\":-49.38072,\\\"lat\\\":7.87497},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15w\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":148.88690000000003,\"maxLon\":438.09868,\"minLat\":-116.68142,\"minLon\":-417.60444},\"mapCenter\":{\"lat\":43.83453,\"lon\":10.24712,\"zoom\":1},\"openTOCDetails\":[]},\"gridData\":{\"h\":23,\"i\":\"cd1e20e7-706f-4d02-949c-d9f5908bad67\",\"w\":33,\"x\":15,\"y\":26},\"panelIndex\":\"cd1e20e7-706f-4d02-949c-d9f5908bad67\",\"title\":\"Network sources and destinations\",\"type\":\"map\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-028c5c1e-79f9-4999-8438-4889ac2b714c\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"028c5c1e-79f9-4999-8438-4889ac2b714c\":{\"columnOrder\":[\"e55346c7-87bc-49f4-9215-8a36931d05f4\",\"f2cd86e2-fb91-48b2-b8dd-e98395d28e00\"],\"columns\":{\"e55346c7-87bc-49f4-9215-8a36931d05f4\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Users\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f2cd86e2-fb91-48b2-b8dd-e98395d28e00\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"user.name\"},\"f2cd86e2-fb91-48b2-b8dd-e98395d28e00\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Failed authentications\",\"operationType\":\"count\",\"params\":{},\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"authentication\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"authentication\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.outcome\",\"negate\":false,\"params\":{\"query\":\"failure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.outcome\":\"failure\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"layers\":[{\"accessors\":[\"f2cd86e2-fb91-48b2-b8dd-e98395d28e00\"],\"layerId\":\"028c5c1e-79f9-4999-8438-4889ac2b714c\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"xAccessor\":\"e55346c7-87bc-49f4-9215-8a36931d05f4\",\"yConfig\":[{\"color\":\"#d36086\",\"forAccessor\":\"f2cd86e2-fb91-48b2-b8dd-e98395d28e00\"}]}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c6305b30-a7e2-4cc3-b49b-db99031f150e\",\"w\":15,\"x\":0,\"y\":49},\"panelIndex\":\"c6305b30-a7e2-4cc3-b49b-db99031f150e\",\"title\":\"Top users by failed authentications to Vault\",\"type\":\"lens\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"96a2c711-40a3-4dfc-87f5-4b193078e05a\",\"w\":33,\"x\":15,\"y\":49},\"panelIndex\":\"96a2c711-40a3-4dfc-87f5-4b193078e05a\",\"panelRefName\":\"panel_9\",\"title\":\"Credential Access\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"columns\":[\"observer.hostname\",\"cyberarkpas.audit.action\",\"cyberarkpas.audit.issuer\",\"cyberarkpas.audit.safe\",\"file.path\"],\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":18,\"i\":\"6cd62115-65e7-416f-8da7-96b0d7a9d932\",\"w\":48,\"x\":0,\"y\":64},\"panelIndex\":\"6cd62115-65e7-416f-8da7-96b0d7a9d932\",\"panelRefName\":\"panel_10\",\"title\":\"All logs\",\"version\":\"7.12.0\"}]", - "timeRestore": false, - "title": "[Logs CyberArk PAS] Overview", - "version": 1 - }, - "coreMigrationVersion": "7.12.0", - "id": "cyberarkpas-eb12ef60-96f6-11eb-bbf8-d77aef8ad7a6", - "migrationVersion": { - "dashboard": "7.11.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-33bc0096-e418-4f81-9c7c-7fdd16cc5203", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-de047c06-a965-47aa-8a15-8b0266d5abc3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-19858811-84d1-4f50-901c-dc1451972324", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-50325938-6a9e-4a26-946e-4468e68c6591", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-105faf70-8330-46b3-a82a-573a383068fa", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "layer_2_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "layer_3_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-028c5c1e-79f9-4999-8438-4889ac2b714c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "cyberarkpas-a9b82df0-97a5-11eb-bbf8-d77aef8ad7a6", - "name": "panel_9", - "type": "search" - }, - { - "id": "cyberarkpas-fec0d170-96f7-11eb-bbf8-d77aef8ad7a6", - "name": "panel_10", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cyberarkpas/2.4.1/kibana/search/cyberarkpas-a9b82df0-97a5-11eb-bbf8-d77aef8ad7a6.json b/packages/cyberarkpas/2.4.1/kibana/search/cyberarkpas-a9b82df0-97a5-11eb-bbf8-d77aef8ad7a6.json deleted file mode 100755 index 7c7f726138..0000000000 --- a/packages/cyberarkpas/2.4.1/kibana/search/cyberarkpas-a9b82df0-97a5-11eb-bbf8-d77aef8ad7a6.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "event.outcome", - "source.address", - "source.user.name", - "destination.address", - "destination.user.name", - "event.reason" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cyberarkpas.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cyberarkpas.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"308\",\"319\",\"295\",\"22\",\"38\",\"300\",\"302\"],\"type\":\"phrases\",\"value\":\"308, 319, 295, 22, 38, 300, 302\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"308\"}},{\"match_phrase\":{\"event.code\":\"319\"}},{\"match_phrase\":{\"event.code\":\"295\"}},{\"match_phrase\":{\"event.code\":\"22\"}},{\"match_phrase\":{\"event.code\":\"38\"}},{\"match_phrase\":{\"event.code\":\"300\"}},{\"match_phrase\":{\"event.code\":\"302\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Credential Access logs [Logs CyberArk PAS]", - "version": 1 - }, - "coreMigrationVersion": "7.12.0", - "id": "cyberarkpas-a9b82df0-97a5-11eb-bbf8-d77aef8ad7a6", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cyberarkpas/2.4.1/kibana/search/cyberarkpas-fec0d170-96f7-11eb-bbf8-d77aef8ad7a6.json b/packages/cyberarkpas/2.4.1/kibana/search/cyberarkpas-fec0d170-96f7-11eb-bbf8-d77aef8ad7a6.json deleted file mode 100755 index dc7d982de3..0000000000 --- a/packages/cyberarkpas/2.4.1/kibana/search/cyberarkpas-fec0d170-96f7-11eb-bbf8-d77aef8ad7a6.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"cyberarkpas.audit\\\" \"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "All logs [Logs CyberArk PAS]", - "version": 1 - }, - "coreMigrationVersion": "7.12.0", - "id": "cyberarkpas-fec0d170-96f7-11eb-bbf8-d77aef8ad7a6", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cyberarkpas/2.4.1/manifest.yml b/packages/cyberarkpas/2.4.1/manifest.yml deleted file mode 100755 index f91b837e6a..0000000000 --- a/packages/cyberarkpas/2.4.1/manifest.yml +++ /dev/null @@ -1,37 +0,0 @@ -name: cyberarkpas -title: CyberArk Privileged Access Security Logs -version: 2.4.1 -release: ga -description: Collect audit logs from Cyberark Vault servers with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: ["security"] -conditions: - kibana.version: ^7.16.0 || ^8.0.0 -screenshots: - - src: /img/filebeat-cyberarkpas-overview.png - title: filebeat cyberarkpas overview - size: 1792x2496 - type: image/png -policy_templates: - - name: cyberarkpas - title: CyberArk Privileged Access Security audit logs - description: Collect logs from Vault instances - inputs: - - type: tcp - title: 'Collect Vault audit logs via TCP' - description: 'Collecting Vault audit logs from CyberArk PAS via TCP' - - type: udp - title: 'Collect Vault audit logs via UDP' - description: 'Collecting Vault audit logs from CyberArk PAS via UDP' - - type: logfile - title: 'Collect Vault audit logs via file' - description: 'Collecting Vault audit logs from CyberArk PAS via file' -icons: - - src: /img/logo.svg - title: CyberArk logo - size: 32x32 - type: image/svg+xml -owner: - github: elastic/security-external-integrations diff --git a/packages/cyberarkpas/2.4.2/changelog.yml b/packages/cyberarkpas/2.4.2/changelog.yml deleted file mode 100755 index 1fd8792cfd..0000000000 --- a/packages/cyberarkpas/2.4.2/changelog.yml +++ /dev/null @@ -1,114 +0,0 @@ -# newer versions go on top -- version: "2.4.2" - changes: - - description: Fix broken file paths configuration variable - type: bugfix - link: https://github.com/elastic/integrations/pull/3497 -- version: "2.4.1" - changes: - - description: Update to readme. added link to vendor documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3222 -- version: "2.4.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "2.3.2" - changes: - - description: Fix error ingesting events with a single entry in the CAProperties field - type: bugfix - link: https://github.com/elastic/integrations/pull/2965 -- version: "2.3.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 - - description: Remove duplicated definition of `event.dataset` field. - type: bugfix - link: https://github.com/elastic/integrations/pull/2916 -- version: "2.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2400 -- version: "2.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "2.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "2.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2223 -- version: "2.1.4" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2024 -- version: "2.1.3" - changes: - - description: Remove dash from title for consistency with brand. - type: enhancement - link: https://github.com/elastic/integrations/pull/2004 -- version: "2.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1962 -- version: "2.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1814 -- version: "2.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1657 -- version: "2.0.0" - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1631 -- version: "1.2.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1474 -- version: '1.2.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1380 -- version: "1.2.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "1.2.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "1.1.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1260 -- version: "1.0.1" - changes: - - description: updating ECS version and adding event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1039 -- version: "1.0.0" - changes: - - description: initial release - type: enhancement - link: https://github.com/elastic/integrations/pull/928 diff --git a/packages/cyberarkpas/2.4.2/data_stream/audit/agent/stream/log.yml.hbs b/packages/cyberarkpas/2.4.2/data_stream/audit/agent/stream/log.yml.hbs deleted file mode 100755 index 4a720c1d38..0000000000 --- a/packages/cyberarkpas/2.4.2/data_stream/audit/agent/stream/log.yml.hbs +++ /dev/null @@ -1,20 +0,0 @@ -paths: -{{#each paths as |path i|}} -- {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/cyberarkpas/2.4.2/data_stream/audit/agent/stream/tcp.yml.hbs b/packages/cyberarkpas/2.4.2/data_stream/audit/agent/stream/tcp.yml.hbs deleted file mode 100755 index 63b1142efc..0000000000 --- a/packages/cyberarkpas/2.4.2/data_stream/audit/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,20 +0,0 @@ -tcp: -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/cyberarkpas/2.4.2/data_stream/audit/agent/stream/udp.yml.hbs b/packages/cyberarkpas/2.4.2/data_stream/audit/agent/stream/udp.yml.hbs deleted file mode 100755 index 3b9f36d9ca..0000000000 --- a/packages/cyberarkpas/2.4.2/data_stream/audit/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,17 +0,0 @@ -udp: -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/cyberarkpas/2.4.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/cyberarkpas/2.4.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index c12922ca45..0000000000 --- a/packages/cyberarkpas/2.4.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,1193 +0,0 @@ ---- -description: Pipeline for CyberArk PAS - -processors: - # - # Set ECS version. - # - - set: - field: ecs.version - value: '8.2.0' - - # - # Set event.original from message, unless reindexing. - # - - rename: - field: message - target_field: event.original - if: 'ctx.event?.original == null' - - # - # Parse syslog headers (if any) and extract JSON payload. - # - - grok: - field: event.original - patterns: - # RFC5424 from CyberArk. - # UseLegacySyslogFormat=No - # <5>1 2021-03-04T17:28:23Z VAULT {"format":"elastic","version":"1.0",...} - - "^<%{NONNEGINT:log.syslog.priority:long}>%{NONNEGINT} %{TIMESTAMP_ISO8601:_tmp.syslog_ts} %{SYSLOGHOST:_tmp.hostname} %{JSON_PAYLOAD:_tmp.payload}" - - # Legacy format. - # UseLegacySyslogFormat=Yes - # Mar 08 02:57:42 VAULT {"format":"elastic","version":"1.0",...} - - "^%{SYSLOGTIMESTAMP:_tmp.syslog_ts} %{SYSLOGHOST:_tmp.hostname} %{JSON_PAYLOAD:_tmp.payload}" - - # Catch-all mode, just JSON payload. - - "%{JSON_PAYLOAD:_tmp.payload}" - pattern_definitions: - JSON_PAYLOAD: '{"format":"elastic","version":"1.0",.*}' - on_failure: - - fail: - message: "unexpected event format: {{{_ingest.on_failure_message}}}" - - - json: - field: _tmp.payload - target_field: _tmp.json - on_failure: - - fail: - message: "malformed JSON event: {{{_ingest.on_failure_message}}}" - - - rename: - field: _tmp.json.syslog.audit_record - target_field: cyberarkpas.audit - on_failure: - - fail: - message: "unexpected event structure: {{{_ingest.on_failure_message}}}" - - - # - # Remove all empty fields - # - - script: - lang: painless - description: 'Removes empty audit fields' - source: >- - ctx.cyberarkpas.audit.entrySet().removeIf(entry -> entry.getValue() == ""); - - - rename: - field: _tmp.json.raw - target_field: cyberarkpas.audit.raw - ignore_missing: true - - # The following processors populate @timestamp from the different sources that can exist in an event. - # In the following order of precedence: - # - IsoTimestamp field (expected ISO8601). Present when new syslog format is used (rfc5424: yes). - # - Timestamp (expected MMM dd HH:mm:ss). Also present only when new syslog format is used. - # - Syslog header timestamp. Either ISO8601 or legacy MMM dd HH:mm:ss, depending on the syslog format in use. - # - Original @timestamp from Filebeat. - - date: - if: 'ctx.cyberarkpas.audit.IsoTimestamp != null' - field: cyberarkpas.audit.IsoTimestamp - target_field: _tmp.timestamp - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: "failed to parse ISO timestamp field: {{{cyberarkpas.audit.IsoTimestamp}}}: {{{_ingest.on_failure_message}}}" - - - date: - if: 'ctx._tmp.timestamp == null && ctx.cyberarkpas.audit.Timestamp != null' - field: cyberarkpas.audit.Timestamp - target_field: _tmp.timestamp - formats: - # This is the default format. - - 'MMM dd HH:mm:ss' - # Drop a few other formats in case the above fails. - - ISO8601 - - 'MMM d HH:mm:ss' - - "EEE MMM dd HH:mm:ss" - - "EEE MMM d HH:mm:ss" - - "MMM d HH:mm:ss z" - - "MMM dd HH:mm:ss z" - - "EEE MMM d HH:mm:ss z" - - "EEE MMM dd HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - "MMM dd yyyy HH:mm:ss" - - "EEE MMM d yyyy HH:mm:ss" - - "EEE MMM dd yyyy HH:mm:ss" - - "MMM d yyyy HH:mm:ss z" - - "MMM dd yyyy HH:mm:ss z" - - "EEE MMM d yyyy HH:mm:ss z" - - "EEE MMM dd yyyy HH:mm:ss z" - on_failure: - - append: - field: error.message - value: "failed to parse timestamp field: {{{cyberarkpas.audit.Timestamp}}}: {{{_ingest.on_failure_message}}}" - - - date: - if: 'ctx._tmp.timestamp == null && ctx._tmp.syslog_ts != null && ctx.event?.timezone == null' - field: _tmp.syslog_ts - target_field: _tmp.timestamp - formats: - # This is the default format. - - 'MMM dd HH:mm:ss' - # Drop a few other formats in case the above fails. - - ISO8601 - - 'MMM d HH:mm:ss' - - "EEE MMM dd HH:mm:ss" - - "EEE MMM d HH:mm:ss" - - "MMM d HH:mm:ss z" - - "MMM dd HH:mm:ss z" - - "EEE MMM d HH:mm:ss z" - - "EEE MMM dd HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - "MMM dd yyyy HH:mm:ss" - - "EEE MMM d yyyy HH:mm:ss" - - "EEE MMM dd yyyy HH:mm:ss" - - "MMM d yyyy HH:mm:ss z" - - "MMM dd yyyy HH:mm:ss z" - - "EEE MMM d yyyy HH:mm:ss z" - - "EEE MMM dd yyyy HH:mm:ss z" - on_failure: - - append: - field: error.message - value: "failed to parse legacy syslog timestamp: {{{_tmp.syslog_ts}}}: {{{_ingest.on_failure_message}}}" - - - date: - if: 'ctx._tmp.timestamp == null && ctx._tmp.syslog_ts != null && ctx.event?.timezone != null' - field: _tmp.syslog_ts - target_field: _tmp.timestamp - timezone: '{{{event.timezone}}}' - formats: - # This is the default format. - - 'MMM dd HH:mm:ss' - # Drop a few other formats in case the above fails. - - ISO8601 - - 'MMM d HH:mm:ss' - - "EEE MMM dd HH:mm:ss" - - "EEE MMM d HH:mm:ss" - - "MMM d HH:mm:ss z" - - "MMM dd HH:mm:ss z" - - "EEE MMM d HH:mm:ss z" - - "EEE MMM dd HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - "MMM dd yyyy HH:mm:ss" - - "EEE MMM d yyyy HH:mm:ss" - - "EEE MMM dd yyyy HH:mm:ss" - - "MMM d yyyy HH:mm:ss z" - - "MMM dd yyyy HH:mm:ss z" - - "EEE MMM d yyyy HH:mm:ss z" - - "EEE MMM dd yyyy HH:mm:ss z" - on_failure: - - append: - field: error.message - value: "failed to parse legacy syslog timestamp: {{{_tmp.syslog_ts}}}: {{{_ingest.on_failure_message}}}" - - - set: - field: '@timestamp' - value: '{{{_tmp.timestamp}}}' - ignore_empty_value: true - override: true - - # This script ensures that CAProperties.CAProperty is an array. - # When there's a single property, it is serialised as an object instead - # of a single element array. - - script: - lang: painless - description: "Converts CAProperties into an array if necessary" - source: > - def props = ctx.cyberarkpas?.audit?.CAProperties?.CAProperty; - if (props != null && props instanceof Map) { - ctx.cyberarkpas.audit.CAProperties.CAProperty = [ props ]; - } - - # This script converts the nested object under cyberarkpas.audit.CAProperties.CAProperty - # into an object under cyberarkpas.audit.CAProperties: - # - # input: - # "cyberarkpas.audit.CAProperties.CAProperty": [ - # { - # "Name": "PolicyID", - # "Value": "LINUX-SSH" - # }, - # { - # "Name": "UserName", - # "Value": "test12" - # } - # output: - # "cyberarkpas.audit.CAProperties": - # { - # "PolicyID": "LINUX-SSH", - # "UserName": "test12" - # } - - foreach: - field: cyberarkpas.audit.CAProperties.CAProperty - ignore_missing: true - processor: - set: - field: 'cyberarkpas.audit.CAProperties.{{{_ingest._value.Name}}}' - value: '{{{_ingest._value.Value}}}' - on_failure: - - append: - field: error.message - value: "failed to process CAProperties array: {{{_ingest.on_failure_message}}}" - - remove: - field: cyberarkpas.audit.CAProperties.CAProperty - ignore_missing: true - - # Parse key-value pairs at ExtraDetails: - # input: - # "cyberarkpas.audit.ExtraDetails": "Command=ls \"/var/tmp\";ConnectionComponentId=PSMP-SSH;DstHost=[...]", - # - # output: - # "cyberarkpas.audit.ExtraDetails": - # { - # "Command": "ls \"/var/tmp\"", - # "ConnectionComponentId": "PSMP-SSH", - # "DstHost": [...] - # - # The original string can contain escaped separators, \= and \; - - kv: - field: cyberarkpas.audit.ExtraDetails - field_split: '(? - String to_snake_case(String s) { - /* faster code path for strings that won't need an underscore */ - if (s.chars().skip(1).noneMatch(Character::isUpperCase)) { - return s.toLowerCase(); - } - int run = 0; - boolean first = true; - StringBuilder result = new StringBuilder(); - for (char c : s.toCharArray()) { - char o = Character.toLowerCase(c); - if (c != o) { - if (run == 0 && !first) { - result.append('_'); - } - run ++; - } else { - if (run > 1) { - char prev = result.charAt(result.length()-1); - result.setCharAt(result.length()-1, (char)'_'); - result.append(prev); - } - run = 0; - first = false; - } - result.append(o); - } - return result.toString(); - } - def keys_to_snake_case_recursive(Map object) { - return object.entrySet().stream().collect( - Collectors.toMap( - e -> to_snake_case(e.getKey()), - e -> e.getValue() instanceof Map? keys_to_snake_case_recursive(e.getValue()) : e.getValue() - ) - ); - } - ctx.cyberarkpas.audit = keys_to_snake_case_recursive(ctx.cyberarkpas.audit); - - # - # Convert rfc5424 field to boolean. - # - - script: - description: 'Converts the rfc5424 audit field to a boolean' - lang: painless - source: > - def value = ctx.cyberarkpas.audit.rfc5424; - ctx.cyberarkpas.audit["rfc5424"] = value == 'yes'; - - ######################################################## - # ECS enrichment - # - # All processors from this point use the snake_case form - # to access CyberArk fields. - ######################################################## - - - set: - field: event.kind - value: event - - - lowercase: - field: cyberarkpas.audit.action - target_field: event.action - ignore_missing: true - - # Severity to number - # - # Possible values: - # Info -> 0 - # Error -> 7 - # Critical -> 10 - - set: - field: event.severity - value: 2 - if: 'ctx.cyberarkpas.audit.severity == "Info"' - - set: - field: event.severity - value: 7 - if: 'ctx.cyberarkpas.audit.severity == "Error"' - - set: - field: event.severity - value: 10 - if: 'ctx.cyberarkpas.audit.severity == "Critical"' - - set: - field: event.type - value: error - if: 'ctx.event?.severity > 6' - - - rename: - field: cyberarkpas.audit.message_id - target_field: event.code - ignore_missing: true - - - set: - field: source.address - value: '{{{cyberarkpas.audit.station}}}' - ignore_empty_value: true - - - set: - field: destination.address - value: '{{{cyberarkpas.audit.gateway_station}}}' - ignore_empty_value: true - - - set: - field: file.path - value: '{{{cyberarkpas.audit.file}}}' - if: 'ctx.cyberarkpas.audit?.file != null' - - # - # Observer fields - # - - rename: - field: cyberarkpas.audit.vendor - target_field: observer.vendor - ignore_missing: true - - rename: - field: cyberarkpas.audit.product - target_field: observer.product - ignore_missing: true - - rename: - field: cyberarkpas.audit.version - target_field: observer.version - ignore_missing: true - - rename: - field: cyberarkpas.audit.hostname - target_field: observer.hostname - ignore_missing: true - # Use hostname from syslog if audit record's Hostname field is missing. - - rename: - field: _tmp.hostname - target_field: observer.hostname - ignore_missing: true - if: 'ctx.observer?.hostname == null' - # - # Enrichment based on message_id - # - # This script is overly complicated (read_field) because at this time - # there is no processor that allows to set one field from a source - # field using indirection (it is possible with rename, but that - # removes the original field). - # - # Once something like this is possible: - # set: - # target_field: '{{{_ingest.value.to}}}' - # copy_from: '{{{_ingest.value.from}}}' - # - # ... this script can be updated to just create two output lists, one - # for value-to pairs, another for value-from pairs. - # - - script: - lang: painless - description: 'ECS enrichment based on message_id' - params: - # 4 - User Authentication - # - # Always a failure. - "4": - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["authentication"] - - set: event.type - value: ["error"] - - set: event.action - value: "authentication_failure" - - set: event.outcome - value: "failure" - - # 7 - Logon - # - # User logged on to the PVWA. - "7": - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: [ "authentication", "session"] - - set: event.type - value: [ "start"] - - set: event.action - value: "authentication_success" - - set: event.outcome - value: "success" - - # 8 - Logoff - # - # User logged of from the PVWA. - "8": # Logoff - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: [ "authentication", "session"] - - set: event.type - value: ["end"] - - set: event.outcome - value: "success" - - # 19 - Full gateway connection. - "19": - - set: source.user.name - from: cyberarkpas.audit.source_user - - set: user.name - from: cyberarkpas.audit.source_user - - set: destination.user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["network"] - - set: event.type - value: ["start"] - - set: event.outcome - value: "success" - - # 22 - CPM Verify Password - # - # Password on a target host is verified. - "22": - # Address of device that hosts the account. - - set: destination.address - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - set: destination.user.name - from: cyberarkpas.audit.ca_properties.user_name - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["admin", "info"] - - # 23 - Action on closed safe - # - # Nothing remarkable. - # - # "23": - - # 24 - CPM Change Password - "24": - - set: destination.address # This could be host.* or user.target.* (doesn't exists). - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - set: user.target.name - from: cyberarkpas.audit.ca_properties.user_name - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["user", "change"] - - # 31 - CPM Reconcile Password - # - "31": - - set: destination.address # This could be host.* or user.target.* (doesn't exists). - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - set: user.target.name - from: cyberarkpas.audit.ca_properties.user_name - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["user", "change"] - - # 32 - Add Owner - # - # Change owner of a Safe. - # source_user performs the action, docs suggest otherwise. - "32": - - set: user.name - from: cyberarkpas.audit.issuer - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.category - value: ["iam"] # How to best model Vault/Safes? An IAM system? A Database? - - set: event.type - value: ["admin", "change"] - - set: event.outcome - value: "success" - - # 33 - Update Owner - # - # Same as above - "33": - - set: user.name - from: cyberarkpas.audit.issuer - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.category - value: ["iam"] # How to best model Vault/Safes? An IAM system? A Database? - - set: event.type - value: ["admin", "change"] - - set: event.outcome - value: "success" - - # 38 - CPM Verify Password Failed - # - # Like 22 but failed. - "38": - # Address of device that hosts the account. - - set: destination.address - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - value: "failure" - - set: event.reason - from: cyberarkpas.audit.ca_properties.cpm_error_details - - set: destination.user.name - from: cyberarkpas.audit.ca_properties.user_name - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["error"] - - # 50 - Store File - # - # I don't think it makes much sense to enrich Vault file events as "file" category. - # This will involve probably constructing a file.path prefixed by the safe name. - # Then these file events may be treated as file events in SIEM, which can have - # unwanted consequences. - # "50": - - # 57 - CPM Change Password Failed - "57": - - set: destination.address # This could be host.* or user.target.* (doesn't exists). - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - value: "failure" - - set: user.target.name - from: cyberarkpas.audit.ca_properties.user_name - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["user", "change", "error"] - - set: event.reason - from: cyberarkpas.audit.ca_properties.cpm_error_details - - # 60 - CPM Reconcile Password Failed - "60": - - set: destination.address # This could be host.* or user.target.* (doesn't exists). - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - value: "failure" - - set: user.target.name - from: cyberarkpas.audit.ca_properties.user_name - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["user", "change", "error"] - - set: event.reason - from: cyberarkpas.audit.ca_properties.cpm_error_details - - # 130 - CPM Disable Password - "130": - - set: event.outcome - value: "failure" - - set: user.target.name - from: cyberarkpas.audit.ca_properties.user_name - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["user", "change"] - - set: event.reason - from: cyberarkpas.audit.ca_properties.cpm_error_details - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - # 174 - Change User (untested) - "174": - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.type - value: ["user", "change"] - - set: event.category - value: ["iam"] - - set: event.outcome - value: "success" - - # 175 - Change Your User (untested) - "175": - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.type - value: ["user", "change"] - - set: event.category - value: ["iam"] - - set: event.outcome - value: "success" - - # 176 - Delete User (untested) - "176": - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.type - value: ["user", "deletion"] - - set: event.category - value: ["iam"] - - set: event.outcome - value: "success" - - # 177 - Delete Your User (untested) - "177": - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.type - value: ["user", "deletion"] - - set: event.category - value: ["iam"] - - set: event.outcome - value: "success" - - # 173 - Add User (alternative to 180, untested) - "173": - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.type - value: ["user", "creation"] - - set: event.category - value: ["iam"] - - set: event.outcome - value: "success" - - # 180 - Add User - "180": - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.type - value: ["user", "creation"] - - set: event.category - value: ["iam"] - - set: event.outcome - value: "success" - - # 295 - Retrieve Password succeeded - "295": - - set: destination.address - from: cyberarkpas.audit.ca_properties.address - - set: destination.user.name - from: cyberarkpas.audit.ca_properties.user_name - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["admin", "access"] - - set: event.outcome - value: "success" - - set: event.reason - from: cyberarkpas.audit.reason - - # 300 - PSM Connect - "300": - - set: destination.address - from: cyberarkpas.audit.extra_details.dst_host - - set: destination.user.name - from: cyberarkpas.audit.extra_details.user - - set: source.address - from: cyberarkpas.audit.extra_details.src_host - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: network.application - from: cyberarkpas.audit.extra_details.protocol - - set: event.category - value: ["session"] - - set: event.type - value: ["start"] - - set: event.outcome - value: "success" - - # 302 - PSM Disconnect - "302": - - set: destination.address - from: cyberarkpas.audit.extra_details.dst_host - - set: destination.user.name - from: cyberarkpas.audit.extra_details.user - - set: source.address - from: cyberarkpas.audit.extra_details.src_host - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: network.application - from: cyberarkpas.audit.extra_details.protocol - - set: _tmp.duration_hms - from: cyberarkpas.audit.extra_details.session_duration - - set: event.category - value: ["session"] - - set: event.type - value: ["end"] - - set: event.outcome - value: "success" - - # 308 - Use Password - "308": - - set: destination.address - from: cyberarkpas.audit.ca_properties.address - - set: destination.user.name - from: cyberarkpas.audit.ca_properties.user_name - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["admin", "access"] - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - set: event.reason - from: cyberarkpas.audit.reason - - # 309 - Undefined user logon - # - "309": - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["authentication"] - - set: event.type - value: ["error"] - - set: event.action - value: "authentication_failure" - - set: event.outcome - value: "failure" - - # 361 - Keystroke logging - "361": - - set: destination.address - from: cyberarkpas.audit.extra_details.dst_host - - set: destination.user.name - from: cyberarkpas.audit.extra_details.user - - set: source.address - from: cyberarkpas.audit.extra_details.src_host - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: network.application - from: cyberarkpas.audit.extra_details.protocol - - set: event.category - value: ["session"] - - set: event.type - value: ["info"] - - # 412 - Keystroke logging (same as 361?) - "412": - - set: destination.address - from: cyberarkpas.audit.extra_details.dst_host - - set: destination.user.name - from: cyberarkpas.audit.extra_details.user - - set: source.address - from: cyberarkpas.audit.extra_details.src_host - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: network.application - from: cyberarkpas.audit.extra_details.protocol - - set: event.category - value: ["session"] - - set: event.type - value: ["info"] - - # 359 - SQL Command - "359": - - set: destination.address - from: cyberarkpas.audit.extra_details.dst_host - - set: destination.user.name - from: cyberarkpas.audit.extra_details.user - - set: source.address - from: cyberarkpas.audit.extra_details.src_host - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: network.application - from: cyberarkpas.audit.extra_details.protocol - - set: event.category - value: ["database"] - - set: event.type - value: ["access"] - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - # 411 - Window Title - "411": - - set: destination.address - from: cyberarkpas.audit.extra_details.dst_host - - set: destination.user.name - from: cyberarkpas.audit.extra_details.user - - set: source.address - from: cyberarkpas.audit.extra_details.src_host - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: network.application - from: cyberarkpas.audit.extra_details.protocol - - set: process.pid - from: cyberarkpas.audit.extra_details.process_id - - set: process.name - from: cyberarkpas.audit.extra_details.process_name - - set: event.category - value: ["process"] - - set: event.type - value: ["access", "info"] - - # 414 - CPM Verify SSH Key - # - # SSH-key on a target host is verified. - "414": - # Address of device that hosts the account. - - set: destination.address - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - set: destination.user.name - from: cyberarkpas.audit.ca_properties.user_name - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["admin", "info"] - - # 428 - Retrieve SSH Key - "428": - - set: destination.address - from: cyberarkpas.audit.ca_properties.address - - set: destination.user.name - from: cyberarkpas.audit.ca_properties.user_name - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["admin", "access"] - - set: event.outcome - value: "success" - - set: event.reason - from: cyberarkpas.audit.reason - - source: > - def clone(def val) { - return val instanceof List? new ArrayList(val) : val; - } - def read_field(def map, String name) { - if (map == null || !(map instanceof Map)) return null; - int pos = name.indexOf("."); - return pos == -1? map[name] - : read_field(map[name.substring(0, pos)], name.substring(pos+1)); - } - String msgID = ctx.event?.code; - def actions = params.get(msgID); - if (actions == null) return; - List values = new ArrayList(); - for (def item : actions) { - def val = item.value; - if (val == null && (val = read_field(ctx, item.from)) == null || val == "") continue; - values.add([ - "to": item.set, - "value": clone(val) - ]); - } - if (!values.isEmpty()) ctx._tmp["values"] = values; - - - foreach: - field: _tmp.values - ignore_missing: true - processor: - set: - field: '{{{_ingest._value.to}}}' - copy_from: '_ingest._value.value' - ignore_empty_value: true - override: true - - # - # Force event.outcome: unknown in case it gets a value other than one of the allowed. - # - - set: - field: event.outcome - value: 'unknown' - if: 'ctx.event?.outcome != null && !["success", "failure"].contains(ctx.event.outcome)' - - - # - # Set event.duration from the session duration ("hh:mm:ss") present in some messages. - # - - script: - lang: painless - description: 'Set event.duration from the session duration ("hh:mm:ss")' - if: "ctx._tmp?.duration_hms != null" - source: > - long parse_hms(String s) { - long cur = 0, total = 0; - for (char c: s.toCharArray()) { - if (c >= (char)'0' && c <= (char)'9') { - cur = (cur*10) + (long)c - (char)'0'; - } else if (c == (char)':') { - total = (total + cur) * 60; - cur = 0; - } else { - return 0; - } - } - return total + cur; - } - long nanos = parse_hms(ctx._tmp.duration_hms) * 1000000000L; - ctx.event['duration'] = nanos; - - # - # Populate ip/domain fields from address. - # - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - on_failure: - - set: - field: source.domain - copy_from: source.address - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - set: - field: destination.domain - copy_from: destination.address - - # - # Populate related.ip - # - - append: - field: related.ip - value: '{{{source.ip}}}' - if: 'ctx.source?.ip != null' - allow_duplicates: false - - append: - field: related.ip - value: '{{{destination.ip}}}' - if: 'ctx.destination?.ip != null' - allow_duplicates: false - - append: - field: related.ip - value: '{{{cyberarkpas.audit.station}}}' - if: 'ctx.cyberarkpas.audit.station != null' - allow_duplicates: false - - append: - field: related.ip - value: '{{{cyberarkpas.audit.gateway_station}}}' - if: 'ctx.cyberarkpas.audit.gateway_station != null' - allow_duplicates: false - - # - # Populate related.user - # - - append: - field: related.user - value: '{{{user.name}}}' - if: 'ctx.user?.name != null' - allow_duplicates: false - - append: - field: related.user - value: '{{{source.user.name}}}' - if: 'ctx.source?.user?.name != null' - allow_duplicates: false - - append: - field: related.user - value: '{{{destination.user.name}}}' - if: 'ctx.destination?.user?.name != null' - allow_duplicates: false - - append: - field: related.user - value: '{{{user.target.name}}}' - if: 'ctx.user?.target?.name != null' - allow_duplicates: false - - # - # sometimes application is capitalized. - # - - lowercase: - field: network.application - ignore_missing: true - - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # - # Set host.name - # This sets host.name from observer.hostname when the original event from Filebeat didn't - # have a host.name. This is the case of forwarded events (the tag "forwarded" is present). - # - - set: - field: host.name - value: '{{{observer.hostname}}}' - ignore_empty_value: true - if: 'ctx.host?.name == null' - - - network_direction: - ignore_missing: true - internal_networks: - - loopback - - private - - unspecified - - - convert: - field: process.pid - type: long - ignore_missing: true - - # - # Save only interesting fields under extra_fields and ca_properties - # to prevent mapping explosion. Keep the rest under .other (type flattened). - # - - script: - lang: painless - description: Map interesting fields from ca_properties and extra_details. - params: - ca_properties: - - address - - cpm_disabled - - cpm_error_details - - cpm_status - - creation_method - - customer - - database - - device_type - - dual_account_status - - group_name - - in_process - - index - - last_fail_date - - last_success_change - - last_success_reconciliation - - last_success_verification - - last_task - - logon_domain - - policy_id - - port - - privcloud - - reset_immediately - - retries_count - - sequence_id - - tags - - user_dn - - user_name - - virtual_username - extra_details: - - ad_process_id - - ad_process_name - - application_type - - command - - connection_component_id - - dst_host - - logon_account - - managed_account - - process_id - - process_name - - protocol - - psmid - - session_duration - - session_id - - src_host - - username - source: > - Map audit = ctx.cyberarkpas.audit; - params.entrySet().stream().filter(e -> audit.containsKey(e.getKey())).forEach(lst -> { - Map base = audit[lst.getKey()], - selected = new HashMap(); - lst.getValue().stream().filter(fld -> base.containsKey(fld)).forEach(fld -> { - selected[fld] = base.remove(fld); - }); - selected['other'] = base; - audit[lst.getKey()] = selected; - }); - # - # Cleanup - # - - remove: - field: _tmp - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - remove: - field: _tmp - ignore_missing: true - - set: - field: event.kind - value: pipeline_error diff --git a/packages/cyberarkpas/2.4.2/data_stream/audit/fields/base-fields.yml b/packages/cyberarkpas/2.4.2/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 62b68b8872..0000000000 --- a/packages/cyberarkpas/2.4.2/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cyberarkpas -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cyberarkpas.audit -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/cyberarkpas/2.4.2/data_stream/audit/fields/beats.yml b/packages/cyberarkpas/2.4.2/data_stream/audit/fields/beats.yml deleted file mode 100755 index 9275638f93..0000000000 --- a/packages/cyberarkpas/2.4.2/data_stream/audit/fields/beats.yml +++ /dev/null @@ -1,15 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/cyberarkpas/2.4.2/data_stream/audit/fields/ecs.yml b/packages/cyberarkpas/2.4.2/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 7263db5b53..0000000000 --- a/packages/cyberarkpas/2.4.2/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,271 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Name of the module this data is coming from. - If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. - name: event.module - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword diff --git a/packages/cyberarkpas/2.4.2/data_stream/audit/fields/fields.yml b/packages/cyberarkpas/2.4.2/data_stream/audit/fields/fields.yml deleted file mode 100755 index df1d01fe1c..0000000000 --- a/packages/cyberarkpas/2.4.2/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,178 +0,0 @@ -- name: cyberarkpas.audit - type: group - fields: - - name: action - type: keyword - description: A description of the audit record. - - name: ca_properties - type: group - description: Account metadata. - fields: - - name: address - type: keyword - - name: cpm_disabled - type: keyword - - name: cpm_error_details - type: keyword - - name: cpm_status - type: keyword - - name: creation_method - type: keyword - - name: customer - type: keyword - - name: database - type: keyword - - name: device_type - type: keyword - - name: dual_account_status - type: keyword - - name: group_name - type: keyword - - name: in_process - type: keyword - - name: index - type: keyword - - name: last_fail_date - type: keyword - - name: last_success_change - type: keyword - - name: last_success_reconciliation - type: keyword - - name: last_success_verification - type: keyword - - name: last_task - type: keyword - - name: logon_domain - type: keyword - - name: policy_id - type: keyword - - name: port - type: keyword - - name: privcloud - type: keyword - - name: reset_immediately - type: keyword - - name: retries_count - type: keyword - - name: sequence_id - type: keyword - - name: tags - type: keyword - - name: user_dn - type: keyword - - name: user_name - type: keyword - - name: virtual_username - type: keyword - - name: other - type: flattened - - name: category - type: keyword - description: The category name (for category-related operations). - - name: desc - type: keyword - description: A static value that displays a description of the audit codes. - - name: extra_details - type: group - description: Specific extra details of the audit records. - fields: - - name: ad_process_id - type: keyword - - name: ad_process_name - type: keyword - - name: application_type - type: keyword - - name: command - type: keyword - - name: connection_component_id - type: keyword - - name: dst_host - type: keyword - - name: logon_account - type: keyword - - name: managed_account - type: keyword - - name: process_id - type: keyword - - name: process_name - type: keyword - - name: protocol - type: keyword - - name: psmid - type: keyword - - name: session_duration - type: keyword - - name: session_id - type: keyword - - name: src_host - type: keyword - - name: username - type: keyword - - name: other - type: flattened - - name: file - type: keyword - description: The name of the target file. - - name: gateway_station - type: ip - description: The IP of the web application machine (PVWA). - - name: hostname - type: keyword - description: The hostname, in upper case. - - name: iso_timestamp - type: date - description: The timestamp, in ISO Timestamp format (RFC 3339). - - name: issuer - type: keyword - description: The Vault user who wrote the audit. This is usually the user who performed the operation. - - name: location - type: keyword - description: The target Location (for Location operations). - ignore_above: 4096 - - name: message - type: keyword - description: A description of the audit records (same information as in the Desc field). - - name: message_id - type: keyword - description: The code ID of the audit records. - - name: product - type: keyword - description: A static value that represents the product. - - name: pvwa_details - type: flattened - description: Specific details of the PVWA audit records. - - name: raw - type: keyword - description: | - Raw XML for the original audit record. Only present when XSLT file has debugging enabled. - ignore_above: 4096 - - name: reason - type: text - description: The reason entered by the user. - - name: rfc5424 - type: boolean - description: Whether the syslog format complies with RFC5424. - - name: safe - type: keyword - description: The name of the target Safe. - - name: severity - type: keyword - description: The severity of the audit records. - - name: source_user - type: keyword - description: The name of the Vault user who performed the operation. - - name: station - type: ip - description: The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP. - - name: target_user - type: keyword - description: The name of the Vault user on which the operation was performed. - - name: timestamp - type: keyword - description: The timestamp, in MMM DD HH:MM:SS format. - - name: vendor - type: keyword - description: A static value that represents the vendor. - - name: version - type: keyword - description: A static value that represents the version of the Vault. diff --git a/packages/cyberarkpas/2.4.2/data_stream/audit/manifest.yml b/packages/cyberarkpas/2.4.2/data_stream/audit/manifest.yml deleted file mode 100755 index 7d7ee68cea..0000000000 --- a/packages/cyberarkpas/2.4.2/data_stream/audit/manifest.yml +++ /dev/null @@ -1,139 +0,0 @@ -type: logs -title: CyberArk PAS audit logs -streams: - - input: logfile - enabled: false - template_path: log.yml.hbs - title: CyberArk PAS audit logs - description: Collect CyberArk PAS audit logs from files. - vars: - - name: paths - type: text - title: Paths - multi: true - required: false - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cyberarkpas-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - enabled: true - template_path: tcp.yml.hbs - title: CyberArk PAS audit logs (TCP) - description: Collect CyberArk PAS audit logs using TCP input - vars: - - name: syslog_host - type: text - title: Syslog Host - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - multi: false - required: true - show_user: true - default: 9301 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cyberarkpas-audit - - forwarded - - name: ssl - type: yaml - title: TLS configuration - multi: false - required: false - show_user: true - description: Options for enabling TLS mode. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: udp - enabled: true - template_path: udp.yml.hbs - title: CyberArk PAS audit logs (UDP) - description: Collect CyberArk PAS audit logs using UDP input - vars: - - name: syslog_host - type: text - title: Syslog Host - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - multi: false - required: true - show_user: true - default: 9301 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cyberarkpas-audit - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cyberarkpas/2.4.2/data_stream/audit/sample_event.json b/packages/cyberarkpas/2.4.2/data_stream/audit/sample_event.json deleted file mode 100755 index fd888f6521..0000000000 --- a/packages/cyberarkpas/2.4.2/data_stream/audit/sample_event.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "@timestamp": "2021-03-08T18:07:51.000Z", - "agent": { - "ephemeral_id": "0c6c824f-931a-418f-9535-22af6210c402", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "cyberarkpas": { - "audit": { - "action": "Full Gateway Connection", - "desc": "Full Gateway Connection", - "gateway_station": "10.0.1.20", - "iso_timestamp": "2021-03-08T18:07:51Z", - "issuer": "Administrator", - "message": "Full Gateway Connection", - "rfc5424": true, - "severity": "Info", - "source_user": "PVWAGWUser", - "station": "127.0.0.1", - "timestamp": "Mar 08 10:07:51" - } - }, - "data_stream": { - "dataset": "cyberarkpas.audit", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.0.1.20", - "ip": "10.0.1.20", - "user": { - "name": "Administrator" - } - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "full gateway connection", - "agent_id_status": "verified", - "category": [ - "network" - ], - "code": "19", - "dataset": "cyberarkpas.audit", - "ingested": "2022-02-03T12:51:00Z", - "kind": "event", - "outcome": "success", - "severity": 2, - "timezone": "+00:00", - "type": [ - "start" - ] - }, - "host": { - "name": "VAULT" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.19.0.7:35950" - }, - "syslog": { - "priority": 5 - } - }, - "network": { - "direction": "internal" - }, - "observer": { - "hostname": "VAULT", - "product": "Vault", - "vendor": "Cyber-Ark", - "version": "11.7.0000" - }, - "related": { - "ip": [ - "127.0.0.1", - "10.0.1.20" - ], - "user": [ - "PVWAGWUser", - "Administrator" - ] - }, - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1", - "user": { - "name": "PVWAGWUser" - } - }, - "tags": [ - "cyberarkpas-audit", - "forwarded" - ], - "user": { - "name": "PVWAGWUser" - } -} \ No newline at end of file diff --git a/packages/cyberarkpas/2.4.2/docs/README.md b/packages/cyberarkpas/2.4.2/docs/README.md deleted file mode 100755 index 12fd2f9948..0000000000 --- a/packages/cyberarkpas/2.4.2/docs/README.md +++ /dev/null @@ -1,297 +0,0 @@ -# CyberArk Privileged Access Security - -The CyberArk Privileged Access Security integration collects audit logs from [CyberArk's Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/Portal/Content/Resources/_TopNav/cc_Portal.htm) server. -## Audit - -The `audit` dataset receives Vault Audit logs for User and Safe activities over the syslog protocol. - -### Vault Configuration - -Follow the steps under [Security Information and Event Management (SIEM) Applications](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) documentation to setup the integration: - -- Copy the [elastic-json-v1.0.xsl](https://raw.githubusercontent.com/elastic/beats/master/x-pack/filebeat/module/cyberarkpas/_meta/assets/elastic-json-v1.0.xsl) XSL Translator file to -the `Server\Syslog` folder. - -- Sample syslog configuration for `DBPARM.ini`: - -```ini -[SYSLOG] -UseLegacySyslogFormat=No -SyslogTranslatorFile=Syslog\elastic-json-v1.0.xsl -SyslogServerIP= -SyslogServerPort= -SyslogServerProtocol=TCP -``` - -For proper timestamping of events, it's recommended to use the newer RFC5424 Syslog format -(`UseLegacySyslogFormat=No`). To avoid event loss, use `TCP` or `TLS` protocols instead of `UDP`. - -### Example event - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2021-03-08T18:07:51.000Z", - "agent": { - "ephemeral_id": "0c6c824f-931a-418f-9535-22af6210c402", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "cyberarkpas": { - "audit": { - "action": "Full Gateway Connection", - "desc": "Full Gateway Connection", - "gateway_station": "10.0.1.20", - "iso_timestamp": "2021-03-08T18:07:51Z", - "issuer": "Administrator", - "message": "Full Gateway Connection", - "rfc5424": true, - "severity": "Info", - "source_user": "PVWAGWUser", - "station": "127.0.0.1", - "timestamp": "Mar 08 10:07:51" - } - }, - "data_stream": { - "dataset": "cyberarkpas.audit", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.0.1.20", - "ip": "10.0.1.20", - "user": { - "name": "Administrator" - } - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "full gateway connection", - "agent_id_status": "verified", - "category": [ - "network" - ], - "code": "19", - "dataset": "cyberarkpas.audit", - "ingested": "2022-02-03T12:51:00Z", - "kind": "event", - "outcome": "success", - "severity": 2, - "timezone": "+00:00", - "type": [ - "start" - ] - }, - "host": { - "name": "VAULT" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.19.0.7:35950" - }, - "syslog": { - "priority": 5 - } - }, - "network": { - "direction": "internal" - }, - "observer": { - "hostname": "VAULT", - "product": "Vault", - "vendor": "Cyber-Ark", - "version": "11.7.0000" - }, - "related": { - "ip": [ - "127.0.0.1", - "10.0.1.20" - ], - "user": [ - "PVWAGWUser", - "Administrator" - ] - }, - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1", - "user": { - "name": "PVWAGWUser" - } - }, - "tags": [ - "cyberarkpas-audit", - "forwarded" - ], - "user": { - "name": "PVWAGWUser" - } -} -``` - -**Exported fields** - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cyberarkpas.audit.action | A description of the audit record. | keyword | -| cyberarkpas.audit.ca_properties.address | | keyword | -| cyberarkpas.audit.ca_properties.cpm_disabled | | keyword | -| cyberarkpas.audit.ca_properties.cpm_error_details | | keyword | -| cyberarkpas.audit.ca_properties.cpm_status | | keyword | -| cyberarkpas.audit.ca_properties.creation_method | | keyword | -| cyberarkpas.audit.ca_properties.customer | | keyword | -| cyberarkpas.audit.ca_properties.database | | keyword | -| cyberarkpas.audit.ca_properties.device_type | | keyword | -| cyberarkpas.audit.ca_properties.dual_account_status | | keyword | -| cyberarkpas.audit.ca_properties.group_name | | keyword | -| cyberarkpas.audit.ca_properties.in_process | | keyword | -| cyberarkpas.audit.ca_properties.index | | keyword | -| cyberarkpas.audit.ca_properties.last_fail_date | | keyword | -| cyberarkpas.audit.ca_properties.last_success_change | | keyword | -| cyberarkpas.audit.ca_properties.last_success_reconciliation | | keyword | -| cyberarkpas.audit.ca_properties.last_success_verification | | keyword | -| cyberarkpas.audit.ca_properties.last_task | | keyword | -| cyberarkpas.audit.ca_properties.logon_domain | | keyword | -| cyberarkpas.audit.ca_properties.other | | flattened | -| cyberarkpas.audit.ca_properties.policy_id | | keyword | -| cyberarkpas.audit.ca_properties.port | | keyword | -| cyberarkpas.audit.ca_properties.privcloud | | keyword | -| cyberarkpas.audit.ca_properties.reset_immediately | | keyword | -| cyberarkpas.audit.ca_properties.retries_count | | keyword | -| cyberarkpas.audit.ca_properties.sequence_id | | keyword | -| cyberarkpas.audit.ca_properties.tags | | keyword | -| cyberarkpas.audit.ca_properties.user_dn | | keyword | -| cyberarkpas.audit.ca_properties.user_name | | keyword | -| cyberarkpas.audit.ca_properties.virtual_username | | keyword | -| cyberarkpas.audit.category | The category name (for category-related operations). | keyword | -| cyberarkpas.audit.desc | A static value that displays a description of the audit codes. | keyword | -| cyberarkpas.audit.extra_details.ad_process_id | | keyword | -| cyberarkpas.audit.extra_details.ad_process_name | | keyword | -| cyberarkpas.audit.extra_details.application_type | | keyword | -| cyberarkpas.audit.extra_details.command | | keyword | -| cyberarkpas.audit.extra_details.connection_component_id | | keyword | -| cyberarkpas.audit.extra_details.dst_host | | keyword | -| cyberarkpas.audit.extra_details.logon_account | | keyword | -| cyberarkpas.audit.extra_details.managed_account | | keyword | -| cyberarkpas.audit.extra_details.other | | flattened | -| cyberarkpas.audit.extra_details.process_id | | keyword | -| cyberarkpas.audit.extra_details.process_name | | keyword | -| cyberarkpas.audit.extra_details.protocol | | keyword | -| cyberarkpas.audit.extra_details.psmid | | keyword | -| cyberarkpas.audit.extra_details.session_duration | | keyword | -| cyberarkpas.audit.extra_details.session_id | | keyword | -| cyberarkpas.audit.extra_details.src_host | | keyword | -| cyberarkpas.audit.extra_details.username | | keyword | -| cyberarkpas.audit.file | The name of the target file. | keyword | -| cyberarkpas.audit.gateway_station | The IP of the web application machine (PVWA). | ip | -| cyberarkpas.audit.hostname | The hostname, in upper case. | keyword | -| cyberarkpas.audit.iso_timestamp | The timestamp, in ISO Timestamp format (RFC 3339). | date | -| cyberarkpas.audit.issuer | The Vault user who wrote the audit. This is usually the user who performed the operation. | keyword | -| cyberarkpas.audit.location | The target Location (for Location operations). | keyword | -| cyberarkpas.audit.message | A description of the audit records (same information as in the Desc field). | keyword | -| cyberarkpas.audit.message_id | The code ID of the audit records. | keyword | -| cyberarkpas.audit.product | A static value that represents the product. | keyword | -| cyberarkpas.audit.pvwa_details | Specific details of the PVWA audit records. | flattened | -| cyberarkpas.audit.raw | Raw XML for the original audit record. Only present when XSLT file has debugging enabled. | keyword | -| cyberarkpas.audit.reason | The reason entered by the user. | text | -| cyberarkpas.audit.rfc5424 | Whether the syslog format complies with RFC5424. | boolean | -| cyberarkpas.audit.safe | The name of the target Safe. | keyword | -| cyberarkpas.audit.severity | The severity of the audit records. | keyword | -| cyberarkpas.audit.source_user | The name of the Vault user who performed the operation. | keyword | -| cyberarkpas.audit.station | The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP. | ip | -| cyberarkpas.audit.target_user | The name of the Vault user on which the operation was performed. | keyword | -| cyberarkpas.audit.timestamp | The timestamp, in MMM DD HH:MM:SS format. | keyword | -| cyberarkpas.audit.vendor | A static value that represents the vendor. | keyword | -| cyberarkpas.audit.version | A static value that represents the version of the Vault. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | - diff --git a/packages/cyberarkpas/2.4.2/img/filebeat-cyberarkpas-overview.png b/packages/cyberarkpas/2.4.2/img/filebeat-cyberarkpas-overview.png deleted file mode 100755 index 768de75855..0000000000 Binary files a/packages/cyberarkpas/2.4.2/img/filebeat-cyberarkpas-overview.png and /dev/null differ diff --git a/packages/cyberarkpas/2.4.2/img/logo.svg b/packages/cyberarkpas/2.4.2/img/logo.svg deleted file mode 100755 index 04930adfd8..0000000000 --- a/packages/cyberarkpas/2.4.2/img/logo.svg +++ /dev/null @@ -1 +0,0 @@ -Asset 25 diff --git a/packages/cyberarkpas/2.4.2/kibana/dashboard/cyberarkpas-eb12ef60-96f6-11eb-bbf8-d77aef8ad7a6.json b/packages/cyberarkpas/2.4.2/kibana/dashboard/cyberarkpas-eb12ef60-96f6-11eb-bbf8-d77aef8ad7a6.json deleted file mode 100755 index 878b317f1f..0000000000 --- a/packages/cyberarkpas/2.4.2/kibana/dashboard/cyberarkpas-eb12ef60-96f6-11eb-bbf8-d77aef8ad7a6.json +++ /dev/null @@ -1,160 +0,0 @@ -{ - "attributes": { - "description": "Dashboard for CyberArk Privileged Access Security events.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cyberarkpas.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cyberarkpas.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"observer.hostname\",\"id\":\"1617726994032\",\"indexPattern\":\"logs-*\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\" By Vault host\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"event.code\",\"id\":\"1617811797137\",\"indexPattern\":\"logs-*\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"By event code\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":false},\"title\":\"\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"1007fa0d-a6a1-4682-a346-a90acc179da5\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"1007fa0d-a6a1-4682-a346-a90acc179da5\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"cyberarkpas.audit\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"hide_in_legend\":0,\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"rainbow\",\"params\":{\"colors\":[\"#68BC00\",\"#009CE0\",\"#B0BC00\",\"#16A5A5\",\"#D33115\",\"#E27300\",\"#FCC400\",\"#7B64FF\",\"#FA28FF\",\"#333333\",\"#808080\",\"#194D33\",\"#0062B1\",\"#808900\",\"#0C797D\",\"#9F0500\",\"#C45100\",\"#FB9E00\",\"#653294\",\"#AB149E\",\"#0F1419\",\"#666666\"],\"gradient\":false},\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":null,\"split_mode\":\"terms\",\"stacked\":\"stacked\",\"terms_field\":\"cyberarkpas.audit.desc\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":13,\"i\":\"f2dc3750-9b7c-4b0e-a45d-3d3b08f74f3e\",\"w\":38,\"x\":10,\"y\":0},\"panelIndex\":\"f2dc3750-9b7c-4b0e-a45d-3d3b08f74f3e\",\"title\":\"event types by time\",\"type\":\"visualization\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-33bc0096-e418-4f81-9c7c-7fdd16cc5203\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"33bc0096-e418-4f81-9c7c-7fdd16cc5203\":{\"columnOrder\":[\"eedd5aa8-a7c4-466a-b10b-3a8cba3bac12\"],\"columns\":{\"eedd5aa8-a7c4-466a-b10b-3a8cba3bac12\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\" \",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eedd5aa8-a7c4-466a-b10b-3a8cba3bac12\",\"layerId\":\"33bc0096-e418-4f81-9c7c-7fdd16cc5203\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":4,\"i\":\"af9e9f0b-a40c-411e-b441-2a779983ed24\",\"w\":10,\"x\":0,\"y\":9},\"panelIndex\":\"af9e9f0b-a40c-411e-b441-2a779983ed24\",\"title\":\"Count of events\",\"type\":\"lens\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-de047c06-a965-47aa-8a15-8b0266d5abc3\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"de047c06-a965-47aa-8a15-8b0266d5abc3\":{\"columnOrder\":[\"b916e5f5-a64a-49f1-b37a-ee1825fc61a4\",\"3effd03e-0ed9-4e2d-ba8e-d77ae505092e\"],\"columns\":{\"3effd03e-0ed9-4e2d-ba8e-d77ae505092e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b916e5f5-a64a-49f1-b37a-ee1825fc61a4\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.outcome\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"3effd03e-0ed9-4e2d-ba8e-d77ae505092e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.outcome\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b916e5f5-a64a-49f1-b37a-ee1825fc61a4\"],\"layerId\":\"de047c06-a965-47aa-8a15-8b0266d5abc3\",\"legendDisplay\":\"default\",\"metric\":\"3effd03e-0ed9-4e2d-ba8e-d77ae505092e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"7031905a-92ab-4e0e-aa58-72f1c07ff409\",\"w\":10,\"x\":0,\"y\":13},\"panelIndex\":\"7031905a-92ab-4e0e-aa58-72f1c07ff409\",\"title\":\"Breakdown by outcome\",\"type\":\"lens\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-19858811-84d1-4f50-901c-dc1451972324\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"19858811-84d1-4f50-901c-dc1451972324\":{\"columnOrder\":[\"81dcff19-b14a-4e4b-999e-dbbcbdfdf816\",\"e3526253-18e0-4122-b112-ee5b4b9e23d7\"],\"columns\":{\"81dcff19-b14a-4e4b-999e-dbbcbdfdf816\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.user.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"type\":\"alphabetical\"},\"orderDirection\":\"asc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.user.name\"},\"e3526253-18e0-4122-b112-ee5b4b9e23d7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cyberarkpas.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cyberarkpas.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"308\",\"22\",\"319\",\"295\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"308\"}},{\"match_phrase\":{\"event.code\":\"22\"}},{\"match_phrase\":{\"event.code\":\"319\"}},{\"match_phrase\":{\"event.code\":\"295\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"81dcff19-b14a-4e4b-999e-dbbcbdfdf816\",\"81dcff19-b14a-4e4b-999e-dbbcbdfdf816\",\"81dcff19-b14a-4e4b-999e-dbbcbdfdf816\",\"81dcff19-b14a-4e4b-999e-dbbcbdfdf816\",\"81dcff19-b14a-4e4b-999e-dbbcbdfdf816\",\"81dcff19-b14a-4e4b-999e-dbbcbdfdf816\"],\"layerId\":\"19858811-84d1-4f50-901c-dc1451972324\",\"legendDisplay\":\"default\",\"metric\":\"e3526253-18e0-4122-b112-ee5b4b9e23d7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"a24b9c0c-da95-4016-9fe5-2c0d34005832\",\"w\":11,\"x\":10,\"y\":13},\"panelIndex\":\"a24b9c0c-da95-4016-9fe5-2c0d34005832\",\"title\":\"Top 10 user credentials accessed\",\"type\":\"lens\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-50325938-6a9e-4a26-946e-4468e68c6591\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"50325938-6a9e-4a26-946e-4468e68c6591\":{\"columnOrder\":[\"8a965540-daa1-4848-80bb-96ddf53a328f\",\"c05a39ad-2983-4f4a-900d-a939ecbda504\",\"a808a872-71b5-4a76-a939-354f68991881\"],\"columns\":{\"8a965540-daa1-4848-80bb-96ddf53a328f\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.outcome\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a808a872-71b5-4a76-a939-354f68991881\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":2},\"scale\":\"ordinal\",\"sourceField\":\"event.outcome\"},\"a808a872-71b5-4a76-a939-354f68991881\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Credentials accessed\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c05a39ad-2983-4f4a-900d-a939ecbda504\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cyberarkpas.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cyberarkpas.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"308\",\"22\",\"319\",\"295\",\"38\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"308\"}},{\"match_phrase\":{\"event.code\":\"22\"}},{\"match_phrase\":{\"event.code\":\"319\"}},{\"match_phrase\":{\"event.code\":\"295\"}},{\"match_phrase\":{\"event.code\":\"38\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"layers\":[{\"accessors\":[\"a808a872-71b5-4a76-a939-354f68991881\"],\"layerId\":\"50325938-6a9e-4a26-946e-4468e68c6591\",\"position\":\"top\",\"seriesType\":\"area_stacked\",\"showGridlines\":false,\"splitAccessor\":\"8a965540-daa1-4848-80bb-96ddf53a328f\",\"xAccessor\":\"c05a39ad-2983-4f4a-900d-a939ecbda504\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"area_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"1dc68cc6-e1b3-43ea-9b0e-f423d194b99a\",\"w\":27,\"x\":21,\"y\":13},\"panelIndex\":\"1dc68cc6-e1b3-43ea-9b0e-f423d194b99a\",\"title\":\"Credential access by time\",\"type\":\"lens\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-105faf70-8330-46b3-a82a-573a383068fa\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"105faf70-8330-46b3-a82a-573a383068fa\":{\"columnOrder\":[\"c51d6847-2fcc-4d13-a44f-49786cb979ed\",\"d73b823b-ae68-4e73-bbe2-90a35bc825e7\",\"c0147524-accc-4dee-a4fc-44199e3459f1\"],\"columns\":{\"c0147524-accc-4dee-a4fc-44199e3459f1\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Authentications\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c51d6847-2fcc-4d13-a44f-49786cb979ed\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Users\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c0147524-accc-4dee-a4fc-44199e3459f1\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":8},\"scale\":\"ordinal\",\"sourceField\":\"user.name\"},\"d73b823b-ae68-4e73-bbe2-90a35bc825e7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.outcome\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"type\":\"alphabetical\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":2},\"scale\":\"ordinal\",\"sourceField\":\"event.outcome\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"event.category\",\"negate\":false,\"params\":[\"authentication\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.category\":\"authentication\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"layers\":[{\"accessors\":[\"c0147524-accc-4dee-a4fc-44199e3459f1\"],\"layerId\":\"105faf70-8330-46b3-a82a-573a383068fa\",\"palette\":{\"name\":\"status\",\"type\":\"palette\"},\"position\":\"top\",\"seriesType\":\"bar_horizontal_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d73b823b-ae68-4e73-bbe2-90a35bc825e7\",\"xAccessor\":\"c51d6847-2fcc-4d13-a44f-49786cb979ed\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"showSingleSeries\":false},\"preferredSeriesType\":\"bar_horizontal_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":23,\"i\":\"c56b3e4d-bfb6-4b06-a62b-282753b85f7a\",\"w\":15,\"x\":0,\"y\":26},\"panelIndex\":\"c56b3e4d-bfb6-4b06-a62b-282753b85f7a\",\"title\":\"Vault Authentication attempts\",\"type\":\"lens\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"id\\\":null,\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"a3734143-d6e1-4551-b0b1-8282a37e151b\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"label\\\":\\\"logs-* | Source Point\\\",\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"geoField\\\":\\\"source.geo.location\\\",\\\"scalingType\\\":\\\"TOP_HITS\\\",\\\"topHitsSplitField\\\":\\\"source.ip\\\",\\\"tooltipProperties\\\":[\\\"host.name\\\",\\\"source.ip\\\",\\\"source.domain\\\",\\\"source.geo.country_iso_code\\\",\\\"source.as.organization.name\\\"],\\\"id\\\":\\\"5f2b25a1-01ea-45ca-a4a2-f1a670c3b149\\\",\\\"type\\\":\\\"ES_SEARCH\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"filterByMapBounds\\\":true,\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"topHitsSize\\\":22},\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"home\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#6092C0\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":2}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":8}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"icon\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"id\\\":\\\"2ad8e318-4ef4-4e89-94f2-f37e395c488c\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"type\\\":\\\"VECTOR\\\",\\\"joins\\\":[]},{\\\"label\\\":\\\"logs-* | Destination point\\\",\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"scalingType\\\":\\\"TOP_HITS\\\",\\\"topHitsSplitField\\\":\\\"destination.ip\\\",\\\"tooltipProperties\\\":[\\\"host.name\\\",\\\"destination.ip\\\",\\\"destination.domain\\\",\\\"destination.geo.country_iso_code\\\",\\\"destination.as.organization.name\\\"],\\\"id\\\":\\\"bc95f479-964f-4498-be1e-376d34a01b0a\\\",\\\"type\\\":\\\"ES_SEARCH\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"filterByMapBounds\\\":true,\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"topHitsSize\\\":35},\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#D36086\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":2}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":8}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"icon\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"id\\\":\\\"dbb878c8-4039-49f1-b2ff-ab7fb942ba55\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"type\\\":\\\"VECTOR\\\",\\\"joins\\\":[]},{\\\"label\\\":\\\"logs-* | Line\\\",\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"sourceGeoField\\\":\\\"source.geo.location\\\",\\\"destGeoField\\\":\\\"destination.geo.location\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"},{\\\"type\\\":\\\"sum\\\",\\\"field\\\":\\\"destination.bytes\\\"}],\\\"id\\\":\\\"faf6884d-b7cb-41dd-ab86-95970d7c59d2\\\",\\\"type\\\":\\\"ES_PEW_PEW\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true},\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#6092C0\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"minSize\\\":1,\\\"maxSize\\\":8,\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":true,\\\"sigma\\\":3}}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"id\\\":\\\"9c450fbf-b009-4b53-9810-2f47ca8dcfa8\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"type\\\":\\\"VECTOR\\\",\\\"joins\\\":[]}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.24,\\\"center\\\":{\\\"lon\\\":-49.38072,\\\"lat\\\":7.87497},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15w\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":148.88690000000003,\"maxLon\":438.09868,\"minLat\":-116.68142,\"minLon\":-417.60444},\"mapCenter\":{\"lat\":43.83453,\"lon\":10.24712,\"zoom\":1},\"openTOCDetails\":[]},\"gridData\":{\"h\":23,\"i\":\"cd1e20e7-706f-4d02-949c-d9f5908bad67\",\"w\":33,\"x\":15,\"y\":26},\"panelIndex\":\"cd1e20e7-706f-4d02-949c-d9f5908bad67\",\"title\":\"Network sources and destinations\",\"type\":\"map\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-028c5c1e-79f9-4999-8438-4889ac2b714c\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"028c5c1e-79f9-4999-8438-4889ac2b714c\":{\"columnOrder\":[\"e55346c7-87bc-49f4-9215-8a36931d05f4\",\"f2cd86e2-fb91-48b2-b8dd-e98395d28e00\"],\"columns\":{\"e55346c7-87bc-49f4-9215-8a36931d05f4\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Users\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f2cd86e2-fb91-48b2-b8dd-e98395d28e00\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"user.name\"},\"f2cd86e2-fb91-48b2-b8dd-e98395d28e00\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Failed authentications\",\"operationType\":\"count\",\"params\":{},\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"authentication\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"authentication\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.outcome\",\"negate\":false,\"params\":{\"query\":\"failure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.outcome\":\"failure\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"layers\":[{\"accessors\":[\"f2cd86e2-fb91-48b2-b8dd-e98395d28e00\"],\"layerId\":\"028c5c1e-79f9-4999-8438-4889ac2b714c\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"xAccessor\":\"e55346c7-87bc-49f4-9215-8a36931d05f4\",\"yConfig\":[{\"color\":\"#d36086\",\"forAccessor\":\"f2cd86e2-fb91-48b2-b8dd-e98395d28e00\"}]}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c6305b30-a7e2-4cc3-b49b-db99031f150e\",\"w\":15,\"x\":0,\"y\":49},\"panelIndex\":\"c6305b30-a7e2-4cc3-b49b-db99031f150e\",\"title\":\"Top users by failed authentications to Vault\",\"type\":\"lens\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"96a2c711-40a3-4dfc-87f5-4b193078e05a\",\"w\":33,\"x\":15,\"y\":49},\"panelIndex\":\"96a2c711-40a3-4dfc-87f5-4b193078e05a\",\"panelRefName\":\"panel_9\",\"title\":\"Credential Access\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"columns\":[\"observer.hostname\",\"cyberarkpas.audit.action\",\"cyberarkpas.audit.issuer\",\"cyberarkpas.audit.safe\",\"file.path\"],\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":18,\"i\":\"6cd62115-65e7-416f-8da7-96b0d7a9d932\",\"w\":48,\"x\":0,\"y\":64},\"panelIndex\":\"6cd62115-65e7-416f-8da7-96b0d7a9d932\",\"panelRefName\":\"panel_10\",\"title\":\"All logs\",\"version\":\"7.12.0\"}]", - "timeRestore": false, - "title": "[Logs CyberArk PAS] Overview", - "version": 1 - }, - "coreMigrationVersion": "7.12.0", - "id": "cyberarkpas-eb12ef60-96f6-11eb-bbf8-d77aef8ad7a6", - "migrationVersion": { - "dashboard": "7.11.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-33bc0096-e418-4f81-9c7c-7fdd16cc5203", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-de047c06-a965-47aa-8a15-8b0266d5abc3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-19858811-84d1-4f50-901c-dc1451972324", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-50325938-6a9e-4a26-946e-4468e68c6591", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-105faf70-8330-46b3-a82a-573a383068fa", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "layer_2_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "layer_3_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-028c5c1e-79f9-4999-8438-4889ac2b714c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "cyberarkpas-a9b82df0-97a5-11eb-bbf8-d77aef8ad7a6", - "name": "panel_9", - "type": "search" - }, - { - "id": "cyberarkpas-fec0d170-96f7-11eb-bbf8-d77aef8ad7a6", - "name": "panel_10", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cyberarkpas/2.4.2/kibana/search/cyberarkpas-a9b82df0-97a5-11eb-bbf8-d77aef8ad7a6.json b/packages/cyberarkpas/2.4.2/kibana/search/cyberarkpas-a9b82df0-97a5-11eb-bbf8-d77aef8ad7a6.json deleted file mode 100755 index 7c7f726138..0000000000 --- a/packages/cyberarkpas/2.4.2/kibana/search/cyberarkpas-a9b82df0-97a5-11eb-bbf8-d77aef8ad7a6.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "event.outcome", - "source.address", - "source.user.name", - "destination.address", - "destination.user.name", - "event.reason" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cyberarkpas.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cyberarkpas.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"308\",\"319\",\"295\",\"22\",\"38\",\"300\",\"302\"],\"type\":\"phrases\",\"value\":\"308, 319, 295, 22, 38, 300, 302\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"308\"}},{\"match_phrase\":{\"event.code\":\"319\"}},{\"match_phrase\":{\"event.code\":\"295\"}},{\"match_phrase\":{\"event.code\":\"22\"}},{\"match_phrase\":{\"event.code\":\"38\"}},{\"match_phrase\":{\"event.code\":\"300\"}},{\"match_phrase\":{\"event.code\":\"302\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Credential Access logs [Logs CyberArk PAS]", - "version": 1 - }, - "coreMigrationVersion": "7.12.0", - "id": "cyberarkpas-a9b82df0-97a5-11eb-bbf8-d77aef8ad7a6", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cyberarkpas/2.4.2/kibana/search/cyberarkpas-fec0d170-96f7-11eb-bbf8-d77aef8ad7a6.json b/packages/cyberarkpas/2.4.2/kibana/search/cyberarkpas-fec0d170-96f7-11eb-bbf8-d77aef8ad7a6.json deleted file mode 100755 index dc7d982de3..0000000000 --- a/packages/cyberarkpas/2.4.2/kibana/search/cyberarkpas-fec0d170-96f7-11eb-bbf8-d77aef8ad7a6.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"cyberarkpas.audit\\\" \"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "All logs [Logs CyberArk PAS]", - "version": 1 - }, - "coreMigrationVersion": "7.12.0", - "id": "cyberarkpas-fec0d170-96f7-11eb-bbf8-d77aef8ad7a6", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cyberarkpas/2.4.2/manifest.yml b/packages/cyberarkpas/2.4.2/manifest.yml deleted file mode 100755 index 3f07e67ad5..0000000000 --- a/packages/cyberarkpas/2.4.2/manifest.yml +++ /dev/null @@ -1,37 +0,0 @@ -name: cyberarkpas -title: CyberArk Privileged Access Security Logs -version: 2.4.2 -release: ga -description: Collect audit logs from Cyberark Vault servers with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: ["security"] -conditions: - kibana.version: ^7.16.0 || ^8.0.0 -screenshots: - - src: /img/filebeat-cyberarkpas-overview.png - title: filebeat cyberarkpas overview - size: 1792x2496 - type: image/png -policy_templates: - - name: cyberarkpas - title: CyberArk Privileged Access Security audit logs - description: Collect logs from Vault instances - inputs: - - type: tcp - title: 'Collect Vault audit logs via TCP' - description: 'Collecting Vault audit logs from CyberArk PAS via TCP' - - type: udp - title: 'Collect Vault audit logs via UDP' - description: 'Collecting Vault audit logs from CyberArk PAS via UDP' - - type: logfile - title: 'Collect Vault audit logs via file' - description: 'Collecting Vault audit logs from CyberArk PAS via file' -icons: - - src: /img/logo.svg - title: CyberArk logo - size: 32x32 - type: image/svg+xml -owner: - github: elastic/security-external-integrations diff --git a/packages/google_workspace/1.5.0/changelog.yml b/packages/google_workspace/1.5.0/changelog.yml deleted file mode 100755 index 080f3c9a75..0000000000 --- a/packages/google_workspace/1.5.0/changelog.yml +++ /dev/null @@ -1,154 +0,0 @@ -# newer versions go on top -- version: "1.5.0" - changes: - - description: Allow to set credentials directly in the config. - type: enhancement - link: https://github.com/elastic/integrations/pull/3430 -- version: "1.4.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.3.4" - changes: - - description: Fix pagination to prevent skipped events when more than one page is present. - type: bugfix - link: https://github.com/elastic/integrations/pull/3140 -- version: "1.3.3" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.3.2" - changes: - - description: Add mapping for ECS event.created. - type: bugfix - link: https://github.com/elastic/integrations/pull/2862 -- version: "1.3.1" - changes: - - description: Remove redundant `event.ingested` from pipelines. - type: enhancement - link: https://github.com/elastic/integrations/pull/2797 - - description: Validate IP fields and remove invalid data to prevent index mapping exceptions. - type: bugfix - link: https://github.com/elastic/integrations/pull/2801 -- version: "1.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2408 -- version: "1.2.3" - changes: - - description: Fix admin pipeline parameter processing - type: bugfix - link: https://github.com/elastic/integrations/issues/2533 -- version: "1.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2256 -- version: "1.1.3" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2106 -- version: "1.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1966 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1819 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1634 -- version: "1.0.0" - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1719 -- version: "0.7.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1479 -- version: '0.7.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1386 -- version: "0.7.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.7.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.6.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1263 -- version: "0.5.0" - changes: - - description: add system tests and remove log input - type: enhancement - link: https://github.com/elastic/integrations/pull/1130 -- version: "0.4.0" - changes: - - description: update to ECS 1.10.0 and add event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1046 -- version: "0.3.1" - changes: - - description: add fingerprint processor to avoid duplicated events. - type: enhancement - link: https://github.com/elastic/integrations/pull/1019 -- version: "0.3.0" - changes: - - description: move edge processing to ingest pipelines - type: enhancement - link: https://github.com/elastic/integrations/pull/939 -- version: "0.2.4" - changes: - - description: add fail_on_template_error on pagination - type: bugfix - link: https://github.com/elastic/integrations/pull/900 -- version: "0.2.3" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/847 -- version: "0.2.2" - changes: - - description: fix status code parsing for saml datastream - type: bugfix # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/809 -- version: "0.2.1" - changes: - - description: fixes date formatting for pagination - type: bugfix # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/795 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/466 diff --git a/packages/google_workspace/1.5.0/data_stream/admin/agent/stream/httpjson.yml.hbs b/packages/google_workspace/1.5.0/data_stream/admin/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 86e50863da..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/admin/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,44 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.oauth2.provider: google -auth.oauth2.google.jwt_file: {{jwt_file}} -auth.oauth2.google.jwt_json: {{jwt_json}} -auth.oauth2.google.delegated_account: {{delegated_account}} -auth.oauth2.scopes: - - https://www.googleapis.com/auth/admin.reports.audit.readonly -request.url: {{api_host}}/admin/reports/v1/activity/users/{{user_key}}/applications/admin -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: - - set: - target: url.params.startTime - value: '[[if eq .last_response.page 0]][[.cursor.last_execution_datetime]][[else]][[.last_response.url.params.Get "startTime"]][[end]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' -response.split: - target: body.items - split: - target: body.events - keep_parent: true -response.pagination: - - set: - target: url.params.pageToken - value: "[[.last_response.body.nextPageToken]]" - fail_on_template_error: true -cursor: - last_execution_datetime: - value: "[[formatDate now]]" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/google_workspace/1.5.0/data_stream/admin/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/1.5.0/data_stream/admin/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 3bacd3943b..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/admin/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,790 +0,0 @@ ---- -description: Pipeline for parsing google_workspace logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: iam - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.id.time - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - - rename: - field: json.events.name - target_field: event.action - ignore_missing: true - - fingerprint: - description: Hashes the ID object and uses it as the document id to avoid duplicate events. - fields: - - json.id - target_field: _id - ignore_missing: true - ignore_failure: true - - rename: - field: json.id.applicationName - target_field: event.provider - ignore_missing: true - - rename: - field: json.id.uniqueQualifier - target_field: event.id - ignore_missing: true - - rename: - field: json.actor.email - target_field: source.user.email - ignore_missing: true - - rename: - field: json.actor.profileId - target_field: source.user.id - ignore_missing: true - - convert: - field: json.ipAddress - target_field: source.ip - type: ip - ignore_failure: true - - rename: - field: json.kind - target_field: google_workspace.kind - ignore_missing: true - - rename: - field: json.id.customerId - target_field: organization.id - ignore_missing: true - - rename: - field: json.actor.callerType - target_field: google_workspace.actor.type - ignore_missing: true - - rename: - field: json.actor.key - target_field: google_workspace.actor.key - ignore_missing: true - - rename: - field: json.ownerDomain - target_field: google_workspace.organization.domain - ignore_missing: true - - rename: - field: json.events.type - target_field: google_workspace.event.type - ignore_missing: true - - set: - field: user.id - copy_from: source.user.id - if: ctx?.source?.user?.id != null - - append: - field: event.category - value: configuration - if: '["CHANGE_APPLICATION_SETTING","UPDATE_MANAGED_CONFIGURATION","CHANGE_CALENDAR_SETTING","CHANGE_CHAT_SETTING","CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING","GPLUS_PREMIUM_FEATURES","UPDATE_CALENDAR_RESOURCE_FEATURE","FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED","MEET_INTEROP_MODIFY_GATEWAY","CHANGE_CHROME_OS_APPLICATION_SETTING","CHANGE_CHROME_OS_DEVICE_SETTING","CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING","CHANGE_CHROME_OS_SETTING","CHANGE_CHROME_OS_USER_SETTING","CHANGE_CONTACTS_SETTING","CHANGE_DOCS_SETTING","CHANGE_SITES_SETTING","CHANGE_EMAIL_SETTING","CHANGE_GMAIL_SETTING","ALLOW_STRONG_AUTHENTICATION","ALLOW_SERVICE_FOR_OAUTH2_ACCESS","DISALLOW_SERVICE_FOR_OAUTH2_ACCESS","CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID","CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION","CHANGE_TWO_STEP_VERIFICATION_FREQUENCY","CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION","CHANGE_TWO_STEP_VERIFICATION_START_DATE","CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS","CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES","ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY","ENFORCE_STRONG_AUTHENTICATION","UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS","WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED","SESSION_CONTROL_SETTINGS_CHANGE","CHANGE_SESSION_LENGTH","TOGGLE_OAUTH_ACCESS_TO_ALL_APIS","TOGGLE_ALLOW_ADMIN_PASSWORD_RESET","ENABLE_API_ACCESS","CHANGE_WHITELIST_SETTING","COMMUNICATION_PREFERENCES_SETTING_CHANGE","ENABLE_FEEDBACK_SOLICITATION","TOGGLE_CONTACT_SHARING","TOGGLE_USE_CUSTOM_LOGO","CHANGE_DATA_LOCALIZATION_SETTING","TOGGLE_ENABLE_OAUTH_CONSUMER_KEY","TOGGLE_SSO_ENABLED","TOGGLE_SSL","TOGGLE_NEW_APP_FEATURES","TOGGLE_USE_NEXT_GEN_CONTROL_PANEL","TOGGLE_OPEN_ID_ENABLED","TOGGLE_OUTBOUND_RELAY","CHANGE_SSO_SETTINGS","ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS","CHANGE_MOBILE_APPLICATION_SETTINGS","CHANGE_MOBILE_SETTING","DELETE_APPLICATION_SETTING","DELETE_GMAIL_SETTING"].contains(ctx?.event?.action)' - - append: - field: event.type - value: change - if: '["CHANGE_APPLICATION_SETTING","UPDATE_MANAGED_CONFIGURATION","CHANGE_CALENDAR_SETTING","CHANGE_CHAT_SETTING","CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING","GPLUS_PREMIUM_FEATURES","UPDATE_CALENDAR_RESOURCE_FEATURE","FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED","MEET_INTEROP_MODIFY_GATEWAY","CHANGE_CHROME_OS_APPLICATION_SETTING","CHANGE_CHROME_OS_DEVICE_SETTING","CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING","CHANGE_CHROME_OS_SETTING","CHANGE_CHROME_OS_USER_SETTING","CHANGE_CONTACTS_SETTING","CHANGE_DOCS_SETTING","CHANGE_SITES_SETTING","CHANGE_EMAIL_SETTING","CHANGE_GMAIL_SETTING","ALLOW_STRONG_AUTHENTICATION","ALLOW_SERVICE_FOR_OAUTH2_ACCESS","DISALLOW_SERVICE_FOR_OAUTH2_ACCESS","CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID","CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION","CHANGE_TWO_STEP_VERIFICATION_FREQUENCY","CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION","CHANGE_TWO_STEP_VERIFICATION_START_DATE","CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS","CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES","ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY","ENFORCE_STRONG_AUTHENTICATION","UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS","WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED","SESSION_CONTROL_SETTINGS_CHANGE","CHANGE_SESSION_LENGTH","TOGGLE_OAUTH_ACCESS_TO_ALL_APIS","TOGGLE_ALLOW_ADMIN_PASSWORD_RESET","ENABLE_API_ACCESS","CHANGE_WHITELIST_SETTING","COMMUNICATION_PREFERENCES_SETTING_CHANGE","ENABLE_FEEDBACK_SOLICITATION","TOGGLE_CONTACT_SHARING","TOGGLE_USE_CUSTOM_LOGO","CHANGE_DATA_LOCALIZATION_SETTING","TOGGLE_ENABLE_OAUTH_CONSUMER_KEY","TOGGLE_SSO_ENABLED","TOGGLE_SSL","TOGGLE_NEW_APP_FEATURES","TOGGLE_USE_NEXT_GEN_CONTROL_PANEL","TOGGLE_OPEN_ID_ENABLED","TOGGLE_OUTBOUND_RELAY","CHANGE_SSO_SETTINGS","ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS","CHANGE_MOBILE_APPLICATION_SETTINGS","CHANGE_MOBILE_SETTING","UPDATE_BUILDING","RENAME_CALENDAR_RESOURCE","UPDATE_CALENDAR_RESOURCE","CANCEL_CALENDAR_EVENTS","RELEASE_CALENDAR_RESOURCES","CHANGE_DEVICE_STATE","CHANGE_CHROME_OS_DEVICE_ANNOTATION","CHANGE_CHROME_OS_DEVICE_STATE","UPDATE_CHROME_OS_PRINT_SERVER","UPDATE_CHROME_OS_PRINTER","MOVE_DEVICE_TO_ORG_UNIT_DETAILED","UPDATE_DEVICE","SEND_CHROME_OS_DEVICE_COMMAND","ASSIGN_ROLE","ADD_PRIVILEGE","REMOVE_PRIVILEGE","RENAME_ROLE","UPDATE_ROLE","UNASSIGN_ROLE","TRANSFER_DOCUMENT_OWNERSHIP","ORG_USERS_LICENSE_ASSIGNMENT","ORG_ALL_USERS_LICENSE_ASSIGNMENT","USER_LICENSE_ASSIGNMENT","CHANGE_LICENSE_AUTO_ASSIGN","USER_LICENSE_REASSIGNMENT","ORG_LICENSE_REVOKE","USER_LICENSE_REVOKE","UPDATE_DYNAMIC_LICENSE","DROP_FROM_QUARANTINE","REJECT_FROM_QUARANTINE","RELEASE_FROM_QUARANTINE","CHROME_LICENSES_ENABLED","CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED","ASSIGN_CUSTOM_LOGO","UNASSIGN_CUSTOM_LOGO","REVOKE_ENROLLMENT_TOKEN","CHROME_LICENSES_ALLOWED","EDIT_ORG_UNIT_DESCRIPTION","MOVE_ORG_UNIT","EDIT_ORG_UNIT_NAME","REVOKE_DEVICE_ENROLLMENT_TOKEN","TOGGLE_SERVICE_ENABLED","ADD_TO_TRUSTED_OAUTH2_APPS","REMOVE_FROM_TRUSTED_OAUTH2_APPS","BLOCK_ON_DEVICE_ACCESS","TOGGLE_CAA_ENABLEMENT","CHANGE_CAA_ERROR_MESSAGE","CHANGE_CAA_APP_ASSIGNMENTS","UNTRUST_DOMAIN_OWNED_OAUTH2_APPS","TRUST_DOMAIN_OWNED_OAUTH2_APPS","UNBLOCK_ON_DEVICE_ACCESS","CHANGE_ACCOUNT_AUTO_RENEWAL","ADD_APPLICATION","ADD_APPLICATION_TO_WHITELIST","CHANGE_ADVERTISEMENT_OPTION","CHANGE_ALERT_CRITERIA","ALERT_RECEIVERS_CHANGED","RENAME_ALERT","ALERT_STATUS_CHANGED","ADD_DOMAIN_ALIAS","REMOVE_DOMAIN_ALIAS","AUTHORIZE_API_CLIENT_ACCESS","REMOVE_API_CLIENT_ACCESS","CHROME_LICENSES_REDEEMED","TOGGLE_AUTO_ADD_NEW_SERVICE","CHANGE_PRIMARY_DOMAIN","CHANGE_CONFLICT_ACCOUNT_ACTION","CHANGE_CUSTOM_LOGO","CHANGE_DATA_LOCALIZATION_FOR_RUSSIA","CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO","CHANGE_DOMAIN_DEFAULT_LOCALE","CHANGE_DOMAIN_DEFAULT_TIMEZONE","CHANGE_DOMAIN_NAME","TOGGLE_ENABLE_PRE_RELEASE_FEATURES","CHANGE_DOMAIN_SUPPORT_MESSAGE","ADD_TRUSTED_DOMAINS","REMOVE_TRUSTED_DOMAINS","CHANGE_EDU_TYPE","CHANGE_EU_REPRESENTATIVE_CONTACT_INFO","CHANGE_LOGIN_BACKGROUND_COLOR","CHANGE_LOGIN_BORDER_COLOR","CHANGE_LOGIN_ACTIVITY_TRACE","PLAY_FOR_WORK_ENROLL","PLAY_FOR_WORK_UNENROLL","UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL","CHANGE_ORGANIZATION_NAME","CHANGE_PASSWORD_MAX_LENGTH","CHANGE_PASSWORD_MIN_LENGTH","REMOVE_APPLICATION","REMOVE_APPLICATION_FROM_WHITELIST","CHANGE_RENEW_DOMAIN_REGISTRATION","CHANGE_RESELLER_ACCESS","RULE_ACTIONS_CHANGED","CHANGE_RULE_CRITERIA","RENAME_RULE","RULE_STATUS_CHANGED","ADD_SECONDARY_DOMAIN","REMOVE_SECONDARY_DOMAIN","UPDATE_DOMAIN_SECONDARY_EMAIL","UPDATE_RULE","ADD_MOBILE_CERTIFICATE","COMPANY_OWNED_DEVICE_BLOCKED","COMPANY_OWNED_DEVICE_UNBLOCKED","COMPANY_OWNED_DEVICE_WIPED","CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT","CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER","REMOVE_MOBILE_APPLICATION_FROM_WHITELIST","ADD_MOBILE_APPLICATION_TO_WHITELIST","CHANGE_ADMIN_RESTRICTIONS_PIN","CHANGE_MOBILE_WIRELESS_NETWORK","ADD_MOBILE_WIRELESS_NETWORK","REMOVE_MOBILE_WIRELESS_NETWORK","CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD","REMOVE_MOBILE_CERTIFICATE","CREATE_APPLICATION_SETTING","CREATE_GMAIL_SETTING","REORDER_GROUP_BASED_POLICIES_EVENT","CHANGE_GROUP_DESCRIPTION","ADD_GROUP_MEMBER","REMOVE_GROUP_MEMBER","UPDATE_GROUP_MEMBER","UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS","UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE","CHANGE_GROUP_NAME","CHANGE_GROUP_SETTING","GROUP_MEMBER_BULK_UPLOAD","WHITELISTED_GROUPS_UPDATED","REVOKE_3LO_DEVICE_TOKENS","REVOKE_3LO_TOKEN","ADD_RECOVERY_EMAIL","ADD_RECOVERY_PHONE","GRANT_ADMIN_PRIVILEGE","REVOKE_ADMIN_PRIVILEGE","REVOKE_ASP","TOGGLE_AUTOMATIC_CONTACT_SHARING","CANCEL_USER_INVITE","CHANGE_USER_CUSTOM_FIELD","CHANGE_USER_EXTERNAL_ID","CHANGE_USER_GENDER","CHANGE_USER_IM","ENABLE_USER_IP_WHITELIST","CHANGE_USER_KEYWORD","CHANGE_USER_LANGUAGE","CHANGE_USER_LOCATION","CHANGE_USER_ORGANIZATION","CHANGE_USER_PHONE_NUMBER","CHANGE_RECOVERY_EMAIL","CHANGE_RECOVERY_PHONE","CHANGE_USER_RELATION","CHANGE_USER_ADDRESS","GRANT_DELEGATED_ADMIN_PRIVILEGES","CHANGE_FIRST_NAME","GMAIL_RESET_USER","CHANGE_LAST_NAME","MAIL_ROUTING_DESTINATION_ADDED","MAIL_ROUTING_DESTINATION_REMOVED","ADD_NICKNAME","REMOVE_NICKNAME","CHANGE_PASSWORD","CHANGE_PASSWORD_ON_NEXT_LOGIN","REMOVE_RECOVERY_EMAIL","REMOVE_RECOVERY_PHONE","RESET_SIGNIN_COOKIES","SECURITY_KEY_REGISTERED_FOR_USER","REVOKE_SECURITY_KEY","TURN_OFF_2_STEP_VERIFICATION","UNBLOCK_USER_SESSION","UNENROLL_USER_FROM_TITANIUM","ARCHIVE_USER","UPDATE_BIRTHDATE","DOWNGRADE_USER_FROM_GPLUS","USER_ENROLLED_IN_TWO_STEP_VERIFICATION","MOVE_USER_TO_ORG_UNIT","USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD","RENAME_USER","UNENROLL_USER_FROM_STRONG_AUTH","SUSPEND_USER","UNARCHIVE_USER","UNSUSPEND_USER","UPGRADE_USER_TO_GPLUS","MOBILE_DEVICE_APPROVE","MOBILE_DEVICE_BLOCK","MOBILE_DEVICE_WIPE","MOBILE_ACCOUNT_WIPE","MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE","MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK"].contains(ctx?.event?.action)' - - append: - field: event.type - value: user - if: '["REVOKE_3LO_DEVICE_TOKENS","REVOKE_3LO_TOKEN","ADD_RECOVERY_EMAIL","ADD_RECOVERY_PHONE","GRANT_ADMIN_PRIVILEGE","REVOKE_ADMIN_PRIVILEGE","REVOKE_ASP","TOGGLE_AUTOMATIC_CONTACT_SHARING","CANCEL_USER_INVITE","CHANGE_USER_CUSTOM_FIELD","CHANGE_USER_EXTERNAL_ID","CHANGE_USER_GENDER","CHANGE_USER_IM","ENABLE_USER_IP_WHITELIST","CHANGE_USER_KEYWORD","CHANGE_USER_LANGUAGE","CHANGE_USER_LOCATION","CHANGE_USER_ORGANIZATION","CHANGE_USER_PHONE_NUMBER","CHANGE_RECOVERY_EMAIL","CHANGE_RECOVERY_PHONE","CHANGE_USER_RELATION","CHANGE_USER_ADDRESS","GRANT_DELEGATED_ADMIN_PRIVILEGES","CHANGE_FIRST_NAME","GMAIL_RESET_USER","CHANGE_LAST_NAME","MAIL_ROUTING_DESTINATION_ADDED","MAIL_ROUTING_DESTINATION_REMOVED","ADD_NICKNAME","REMOVE_NICKNAME","CHANGE_PASSWORD","CHANGE_PASSWORD_ON_NEXT_LOGIN","REMOVE_RECOVERY_EMAIL","REMOVE_RECOVERY_PHONE","RESET_SIGNIN_COOKIES","SECURITY_KEY_REGISTERED_FOR_USER","REVOKE_SECURITY_KEY","TURN_OFF_2_STEP_VERIFICATION","UNBLOCK_USER_SESSION","UNENROLL_USER_FROM_TITANIUM","ARCHIVE_USER","UPDATE_BIRTHDATE","DOWNGRADE_USER_FROM_GPLUS","USER_ENROLLED_IN_TWO_STEP_VERIFICATION","MOVE_USER_TO_ORG_UNIT","USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD","RENAME_USER","UNENROLL_USER_FROM_STRONG_AUTH","SUSPEND_USER","UNARCHIVE_USER","UNSUSPEND_USER","UPGRADE_USER_TO_GPLUS","MOBILE_DEVICE_APPROVE","MOBILE_DEVICE_BLOCK","MOBILE_DEVICE_WIPE","MOBILE_ACCOUNT_WIPE","MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE","MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK","DELETE_2SV_SCRATCH_CODES","DELETE_ACCOUNT_INFO_DUMP","DELETE_EMAIL_MONITOR","DELETE_MAILBOX_DUMP","DELETE_USER","MOBILE_DEVICE_DELETE","GENERATE_2SV_SCRATCH_CODES","CREATE_EMAIL_MONITOR","CREATE_DATA_TRANSFER_REQUEST","CREATE_USER","UNDELETE_USER","REQUEST_ACCOUNT_INFO","REQUEST_MAILBOX_DUMP","RESEND_USER_INVITE","BULK_UPLOAD_NOTIFICATION_SENT","USER_INVITE","VIEW_TEMP_PASSWORD","USERS_BULK_UPLOAD_NOTIFICATION_SENT","ACTION_CANCELLED","ACTION_REQUESTED"].contains(ctx?.event?.action)' - - append: - field: event.type - value: creation - if: '["CREATE_APPLICATION_SETTING","CREATE_GMAIL_SETTING","CREATE_MANAGED_CONFIGURATION","CREATE_BUILDING","CREATE_CALENDAR_RESOURCE","CREATE_CALENDAR_RESOURCE_FEATURE","MEET_INTEROP_CREATE_GATEWAY","INSERT_CHROME_OS_PRINT_SERVER","INSERT_CHROME_OS_PRINTER","CREATE_ROLE","ADD_WEB_ADDRESS","EMAIL_UNDELETE","CHROME_APPLICATION_LICENSE_RESERVATION_CREATED","CREATE_DEVICE_ENROLLMENT_TOKEN","CREATE_ENROLLMENT_TOKEN","CREATE_ORG_UNIT","CREATE_ALERT","CREATE_PLAY_FOR_WORK_TOKEN","GENERATE_TRANSFER_TOKEN","REGENERATE_OAUTH_CONSUMER_SECRET","CREATE_RULE","GENERATE_PIN","COMPANY_DEVICES_BULK_CREATION","CREATE_GROUP","GENERATE_2SV_SCRATCH_CODES","CREATE_EMAIL_MONITOR","CREATE_DATA_TRANSFER_REQUEST","CREATE_USER","UNDELETE_USER"].contains(ctx?.event?.action)' - - append: - field: event.type - value: deletion - if: '["DELETE_APPLICATION_SETTING","DELETE_GMAIL_SETTING","DELETE_MANAGED_CONFIGURATION","DELETE_BUILDING","DELETE_CALENDAR_RESOURCE","DELETE_CALENDAR_RESOURCE_FEATURE","MEET_INTEROP_DELETE_GATEWAY","DELETE_CHROME_OS_PRINT_SERVER","DELETE_CHROME_OS_PRINTER","REMOVE_CHROME_OS_APPLICATION_SETTINGS","DELETE_ROLE","DELETE_WEB_ADDRESS","CHROME_APPLICATION_LICENSE_RESERVATION_DELETED","REMOVE_ORG_UNIT","DELETE_ALERT","DELETE_PLAY_FOR_WORK_TOKEN","DELETE_RULE","COMPANY_DEVICE_DELETION","DELETE_GROUP","DELETE_2SV_SCRATCH_CODES","DELETE_ACCOUNT_INFO_DUMP","DELETE_EMAIL_MONITOR","DELETE_MAILBOX_DUMP","DELETE_USER","MOBILE_DEVICE_DELETE"].contains(ctx?.event?.action)' - - append: - field: event.type - value: group - if: '["REORDER_GROUP_BASED_POLICIES_EVENT","CHANGE_GROUP_DESCRIPTION","ADD_GROUP_MEMBER","REMOVE_GROUP_MEMBER","UPDATE_GROUP_MEMBER","UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS","UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE","CHANGE_GROUP_NAME","CHANGE_GROUP_SETTING","GROUP_MEMBER_BULK_UPLOAD","WHITELISTED_GROUPS_UPDATED","GROUP_LIST_DOWNLOAD","GROUP_MEMBERS_DOWNLOAD"].contains(ctx?.event?.action)' - - append: - field: event.type - value: info - if: '["ISSUE_DEVICE_COMMAND","DRIVE_DATA_RESTORE","VIEW_SITE_DETAILS","EMAIL_LOG_SEARCH","SKIP_DOMAIN_ALIAS_MX","VERIFY_DOMAIN_ALIAS_MX","VERIFY_DOMAIN_ALIAS","VIEW_DNS_LOGIN_DETAILS","MX_RECORD_VERIFICATION_CLAIM","UPLOAD_OAUTH_CERTIFICATE","SKIP_SECONDARY_DOMAIN_MX","VERIFY_SECONDARY_DOMAIN_MX","VERIFY_SECONDARY_DOMAIN","BULK_UPLOAD","DOWNLOAD_PENDING_INVITES_LIST","DOWNLOAD_USERLIST_CSV","USERS_BULK_UPLOAD","ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT","USE_GOOGLE_MOBILE_MANAGEMENT","USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS","USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS","GROUP_LIST_DOWNLOAD","GROUP_MEMBERS_DOWNLOAD","REQUEST_ACCOUNT_INFO","REQUEST_MAILBOX_DUMP","RESEND_USER_INVITE","BULK_UPLOAD_NOTIFICATION_SENT","USER_INVITE","VIEW_TEMP_PASSWORD","USERS_BULK_UPLOAD_NOTIFICATION_SENT","ACTION_CANCELLED","ACTION_REQUESTED"].contains(ctx?.event?.action)' - - script: - lang: painless - if: 'ctx?.json?.events?.parameters != null && ctx?.json?.events?.parameters instanceof List' - source: > - if (ctx.google_workspace.admin == null) { - ctx.google_workspace.admin = new HashMap(); - } - for (int i = 0; i < ctx.json.events.parameters.length; ++i) { - if (ctx["json"]["events"]["parameters"][i]["value"] != null) { - ctx.google_workspace.admin[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["value"]; - } - if (ctx["json"]["events"]["parameters"][i]["intValue"] != null) { - ctx.google_workspace.admin[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["intValue"]; - } - if (ctx["json"]["events"]["parameters"][i]["multiValue"] != null) { - ctx.google_workspace.admin[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["multiValue"]; - } - } - - remove: - field: json.events.parameters - ignore_missing: true - - rename: - field: google_workspace.admin.APPLICATION_EDITION - target_field: google_workspace.admin.application.edition - ignore_missing: true - - rename: - field: google_workspace.admin.APPLICATION_NAME - target_field: google_workspace.admin.application.name - ignore_missing: true - - rename: - field: google_workspace.admin.APPLICATION_ENABLED - target_field: google_workspace.admin.application.enabled - ignore_missing: true - - rename: - field: google_workspace.admin.APP_LICENSES_ORDER_NUMBER - target_field: google_workspace.admin.application.licences_order_number - ignore_missing: true - - rename: - field: google_workspace.admin.CHROME_NUM_LICENSES_PURCHASED - target_field: google_workspace.admin.application.licences_purchased - ignore_missing: true - - rename: - field: google_workspace.admin.REAUTH_APPLICATION - target_field: google_workspace.admin.application.name - ignore_missing: true - - rename: - field: google_workspace.admin.GROUP_EMAIL - target_field: google_workspace.admin.group.email - ignore_missing: true - - rename: - field: google_workspace.admin.GROUP_NAME - target_field: group.name - ignore_missing: true - - rename: - field: google_workspace.admin.NEW_VALUE - target_field: google_workspace.admin.new_value - ignore_missing: true - - rename: - field: google_workspace.admin.OLD_VALUE - target_field: google_workspace.admin.old_value - ignore_missing: true - - rename: - field: google_workspace.admin.ORG_UNIT_NAME - target_field: google_workspace.admin.org_unit.name - ignore_missing: true - - rename: - field: google_workspace.admin.SETTING_NAME - target_field: google_workspace.admin.setting.name - ignore_missing: true - - rename: - field: google_workspace.admin.SETTING_DESCRIPTION - target_field: google_workspace.admin.setting.description - ignore_missing: true - - rename: - field: google_workspace.admin.USER_DEFINED_SETTING_NAME - target_field: google_workspace.admin.user_defined_setting.name - ignore_missing: true - - rename: - field: google_workspace.admin.GROUP_PRIORITIES - target_field: google_workspace.admin.group.priorities - ignore_missing: true - - rename: - field: google_workspace.admin.DOMAIN_NAME - target_field: google_workspace.admin.domain.name - ignore_missing: true - - rename: - field: google_workspace.admin.DOMAIN_ALIAS - target_field: google_workspace.admin.domain.alias - ignore_missing: true - - rename: - field: google_workspace.admin.SECONDARY_DOMAIN_NAME - target_field: google_workspace.admin.domain.secondary_name - ignore_missing: true - - rename: - field: google_workspace.admin.MANAGED_CONFIGURATION_NAME - target_field: google_workspace.admin.managed_configuration - ignore_missing: true - - rename: - field: google_workspace.admin.MOBILE_APP_PACKAGE_ID - target_field: google_workspace.admin.application.package_id - ignore_missing: true - - rename: - field: google_workspace.admin.FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION - target_field: google_workspace.admin.non_featured_services_selection - ignore_missing: true - - rename: - field: google_workspace.admin.FIELD_NAME - target_field: google_workspace.admin.field - ignore_missing: true - - rename: - field: google_workspace.admin.RESOURCE_IDENTIFIER - target_field: google_workspace.admin.resource.id - ignore_missing: true - - rename: - field: google_workspace.admin.USER_EMAIL - target_field: google_workspace.admin.user.email - ignore_missing: true - - rename: - field: google_workspace.admin.GATEWAY_NAME - target_field: google_workspace.admin.gateway.name - ignore_missing: true - - rename: - field: google_workspace.admin.APP_ID - target_field: google_workspace.admin.application.id - ignore_missing: true - - rename: - field: google_workspace.admin.ASP_ID - target_field: google_workspace.admin.application.asp_id - ignore_missing: true - - rename: - field: google_workspace.admin.CHROME_OS_SESSION_TYPE - target_field: google_workspace.admin.chrome_os.session_type - ignore_missing: true - - rename: - field: google_workspace.admin.DEVICE_NEW_STATE - target_field: google_workspace.admin.new_value - ignore_missing: true - - rename: - field: google_workspace.admin.DEVICE_PREVIOUS_STATE - target_field: google_workspace.admin.old_value - ignore_missing: true - - rename: - field: google_workspace.admin.DEVICE_SERIAL_NUMBER - target_field: google_workspace.admin.device.serial_number - ignore_missing: true - - rename: - field: google_workspace.admin.DEVICE_ID - target_field: google_workspace.admin.device.id - ignore_missing: true - - rename: - field: google_workspace.admin.DEVICE_TYPE - target_field: google_workspace.admin.device.type - ignore_missing: true - - rename: - field: google_workspace.admin.PRINT_SERVER_NAME - target_field: google_workspace.admin.print_server.name - ignore_missing: true - - rename: - field: google_workspace.admin.PRINTER_NAME - target_field: google_workspace.admin.printer.name - ignore_missing: true - - rename: - field: google_workspace.admin.DEVICE_COMMAND_DETAILS - target_field: google_workspace.admin.device.command_details - ignore_missing: true - - rename: - field: google_workspace.admin.DEVICE_NEW_ORG_UNIT - target_field: google_workspace.admin.new_value - ignore_missing: true - - rename: - field: google_workspace.admin.DEVICE_PREVIOUS_ORG_UNIT - target_field: google_workspace.admin.old_value - ignore_missing: true - - rename: - field: google_workspace.admin.ROLE_NAME - target_field: google_workspace.admin.role.name - ignore_missing: true - - rename: - field: google_workspace.admin.ROLE_ID - target_field: google_workspace.admin.role.id - ignore_missing: true - - rename: - field: google_workspace.admin.PRIVILEGE_NAME - target_field: google_workspace.admin.privilege.name - ignore_missing: true - - rename: - field: google_workspace.admin.SITE_LOCATION - target_field: url.path - ignore_missing: true - - rename: - field: google_workspace.admin.WEB_ADDRESS - target_field: url.full - ignore_missing: true - - uri_parts: - field: url.full - ignore_failure: true - if: ctx?.url?.full != null - - rename: - field: google_workspace.admin.SITE_NAME - target_field: google_workspace.admin.url.name - ignore_missing: true - - rename: - field: google_workspace.admin.SERVICE_NAME - target_field: google_workspace.admin.service.name - ignore_missing: true - - rename: - field: google_workspace.admin.PRODUCT_NAME - target_field: google_workspace.admin.product.name - ignore_missing: true - - rename: - field: google_workspace.admin.SKU_NAME - target_field: google_workspace.admin.product.sku - ignore_missing: true - - rename: - field: google_workspace.admin.GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER - target_field: google_workspace.admin.bulk_upload.failed - ignore_missing: true - - rename: - field: google_workspace.admin.GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER - target_field: google_workspace.admin.bulk_upload.total - ignore_missing: true - - rename: - field: google_workspace.admin.BULK_UPLOAD_FAIL_USERS_NUMBER - target_field: google_workspace.admin.bulk_upload.failed - ignore_missing: true - - rename: - field: google_workspace.admin.BULK_UPLOAD_TOTAL_USERS_NUMBER - target_field: google_workspace.admin.bulk_upload.total - ignore_missing: true - - rename: - field: google_workspace.admin.EMAIL_LOG_SEARCH_MSG_ID - target_field: google_workspace.admin.email.log_search_filter.message_id - ignore_missing: true - - rename: - field: google_workspace.admin.EMAIL_LOG_SEARCH_RECIPIENT - target_field: google_workspace.admin.email.log_search_filter.recipient.value - ignore_missing: true - - rename: - field: google_workspace.admin.EMAIL_LOG_SEARCH_SENDER - target_field: google_workspace.admin.email.log_search_filter.sender.value - ignore_missing: true - - convert: - field: google_workspace.admin.EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP - type: ip - ignore_missing: true - on_failure: - - remove: - field: google_workspace.admin.EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP - - rename: - field: google_workspace.admin.EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP - target_field: google_workspace.admin.email.log_search_filter.recipient.ip - ignore_missing: true - - convert: - field: google_workspace.admin.EMAIL_LOG_SEARCH_SMTP_SENDER_IP - type: ip - ignore_missing: true - on_failure: - - remove: - field: google_workspace.admin.EMAIL_LOG_SEARCH_SMTP_SENDER_IP - - rename: - field: google_workspace.admin.EMAIL_LOG_SEARCH_SMTP_SENDER_IP - target_field: google_workspace.admin.email.log_search_filter.sender.ip - ignore_missing: true - - rename: - field: google_workspace.admin.QUARANTINE_NAME - target_field: google_workspace.admin.email.quarantine_name - ignore_missing: true - - rename: - field: google_workspace.admin.CHROME_LICENSES_ENABLED - target_field: google_workspace.admin.chrome_licenses.enabled - ignore_missing: true - - rename: - field: google_workspace.admin.CHROME_LICENSES_ALLOWED - target_field: google_workspace.admin.chrome_licenses.allowed - ignore_missing: true - - rename: - field: google_workspace.admin.FULL_ORG_UNIT_PATH - target_field: google_workspace.admin.org_unit.full - ignore_missing: true - - rename: - field: google_workspace.admin.OAUTH2_SERVICE_NAME - target_field: google_workspace.admin.oauth2.service.name - ignore_missing: true - - rename: - field: google_workspace.admin.OAUTH2_APP_ID - target_field: google_workspace.admin.oauth2.application.id - ignore_missing: true - - rename: - field: google_workspace.admin.OAUTH2_APP_NAME - target_field: google_workspace.admin.oauth2.application.name - ignore_missing: true - - rename: - field: google_workspace.admin.OAUTH2_APP_TYPE - target_field: google_workspace.admin.oauth2.application.type - ignore_missing: true - - rename: - field: google_workspace.admin.ALLOWED_TWO_STEP_VERIFICATION_METHOD - target_field: google_workspace.admin.verification_method - ignore_missing: true - - rename: - field: google_workspace.admin.DOMAIN_VERIFICATION_METHOD - target_field: google_workspace.admin.verification_method - ignore_missing: true - - rename: - field: google_workspace.admin.CAA_ASSIGNMENTS_NEW - target_field: google_workspace.admin.new_value - ignore_missing: true - - rename: - field: google_workspace.admin.CAA_ASSIGNMENTS_OLD - target_field: google_workspace.admin.old_value - ignore_missing: true - - rename: - field: google_workspace.admin.REAUTH_SETTING_NEW - target_field: google_workspace.admin.new_value - ignore_missing: true - - rename: - field: google_workspace.admin.REAUTH_SETTING_OLD - target_field: google_workspace.admin.old_value - ignore_missing: true - - rename: - field: google_workspace.admin.ALERT_NAME - target_field: google_workspace.admin.alert.name - ignore_missing: true - - rename: - field: google_workspace.admin.API_CLIENT_NAME - target_field: google_workspace.admin.api.client.name - ignore_missing: true - - rename: - field: google_workspace.admin.API_SCOPES - target_field: google_workspace.admin.api.scopes - ignore_missing: true - - rename: - field: google_workspace.admin.PLAY_FOR_WORK_TOKEN_ID - target_field: google_workspace.admin.mdm.token - ignore_missing: true - - rename: - field: google_workspace.admin.PLAY_FOR_WORK_MDM_VENDOR_NAME - target_field: google_workspace.admin.mdm.vendor - ignore_missing: true - - rename: - field: google_workspace.admin.INFO_TYPE - target_field: google_workspace.admin.info_type - ignore_missing: true - - rename: - field: google_workspace.admin.RULE_NAME - target_field: google_workspace.admin.rule.name - ignore_missing: true - - rename: - field: google_workspace.admin.USER_CUSTOM_FIELD - target_field: google_workspace.admin.setting.name - ignore_missing: true - - rename: - field: google_workspace.admin.EMAIL_MONITOR_DEST_EMAIL - target_field: google_workspace.admin.email_monitor.dest_email - ignore_missing: true - - rename: - field: google_workspace.admin.EMAIL_MONITOR_LEVEL_CHAT - target_field: google_workspace.admin.email_monitor.level.chat - ignore_missing: true - - rename: - field: google_workspace.admin.EMAIL_MONITOR_LEVEL_DRAFT_EMAIL - target_field: google_workspace.admin.email_monitor.level.draft - ignore_missing: true - - rename: - field: google_workspace.admin.EMAIL_MONITOR_LEVEL_INCOMING_EMAIL - target_field: google_workspace.admin.email_monitor.level.incoming - ignore_missing: true - - rename: - field: google_workspace.admin.EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL - target_field: google_workspace.admin.email_monitor.level.outgoing - ignore_missing: true - - rename: - field: google_workspace.admin.EMAIL_EXPORT_INCLUDE_DELETED - target_field: google_workspace.admin.email_dump.include_deleted - ignore_missing: true - - rename: - field: google_workspace.admin.EMAIL_EXPORT_PACKAGE_CONTENT - target_field: google_workspace.admin.email_dump.package_content - ignore_missing: true - - rename: - field: google_workspace.admin.SEARCH_QUERY_FOR_DUMP - target_field: google_workspace.admin.email_dump.query - ignore_missing: true - - rename: - field: google_workspace.admin.DESTINATION_USER_EMAIL - target_field: google_workspace.admin.new_value - ignore_missing: true - - rename: - field: google_workspace.admin.REQUEST_ID - target_field: google_workspace.admin.request.id - ignore_missing: true - - rename: - field: google_workspace.admin.GMAIL_RESET_REASON - target_field: message - ignore_missing: true - - rename: - field: google_workspace.admin.USER_NICKNAME - target_field: google_workspace.admin.user.nickname - ignore_missing: true - - rename: - field: google_workspace.admin.ACTION_ID - target_field: google_workspace.admin.mobile.action.id - ignore_missing: true - - rename: - field: google_workspace.admin.ACTION_TYPE - target_field: google_workspace.admin.mobile.action.type - ignore_missing: true - - rename: - field: google_workspace.admin.MOBILE_CERTIFICATE_COMMON_NAME - target_field: google_workspace.admin.mobile.certificate.name - ignore_missing: true - - rename: - field: google_workspace.admin.NUMBER_OF_COMPANY_OWNED_DEVICES - target_field: google_workspace.admin.mobile.company_owned_devices - ignore_missing: true - - rename: - field: google_workspace.admin.COMPANY_DEVICE_ID - target_field: google_workspace.admin.device.id - ignore_missing: true - - rename: - field: google_workspace.admin.DISTRIBUTION_ENTITY_NAME - target_field: google_workspace.admin.distribution.entity.name - ignore_missing: true - - rename: - field: google_workspace.admin.DISTRIBUTION_ENTITY_TYPE - target_field: google_workspace.admin.distribution.entity.type - ignore_missing: true - - rename: - field: google_workspace.admin.MOBILE_APP_PACKAGE_ID - target_field: google_workspace.admin.application.package_id - ignore_missing: true - - rename: - field: google_workspace.admin.NEW_PERMISSION_GRANT_STATE - target_field: google_workspace.admin.new_value - ignore_missing: true - - rename: - field: google_workspace.admin.OLD_PERMISSION_GRANT_STATE - target_field: google_workspace.admin.old_value - ignore_missing: true - - rename: - field: google_workspace.admin.PERMISSION_GROUP_NAME - target_field: google_workspace.admin.setting.name - ignore_missing: true - - rename: - field: google_workspace.admin.MOBILE_WIRELESS_NETWORK_NAME - target_field: network.name - ignore_missing: true - - date: - field: google_workspace.admin.EMAIL_LOG_SEARCH_END_DATE - target_field: google_workspace.admin.email.log_search_filter.end_date - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - if: ctx?.google_workspace?.admin?.EMAIL_LOG_SEARCH_END_DATE != null - - date: - field: google_workspace.admin.EMAIL_LOG_SEARCH_START_DATE - target_field: google_workspace.admin.email.log_search_filter.start_date - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - if: ctx?.google_workspace?.admin?.EMAIL_LOG_SEARCH_START_DATE != null - - date: - field: google_workspace.admin.BIRTHDATE - target_field: google_workspace.admin.user.birthdate - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - if: ctx?.google_workspace?.admin?.BIRTHDATE != null - - date: - field: google_workspace.admin.BEGIN_DATE_TIME - target_field: event.start - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - if: ctx?.google_workspace?.admin?.BEGIN_DATE_TIME != null - - date: - field: google_workspace.admin.START_DATE - target_field: event.start - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - if: ctx?.google_workspace?.admin?.START_DATE != null - - date: - field: google_workspace.admin.END_DATE - target_field: event.end - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - if: ctx?.google_workspace?.admin?.END_DATE != null - - date: - field: google_workspace.admin.END_DATE_TIME - target_field: event.end - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - if: ctx?.google_workspace?.admin?.END_DATE_TIME != null - - script: - lang: painless - if: 'ctx?.source?.user?.email != null && ctx?.source?.user?.email.contains("@")' - source: > - String[] splitmail = ctx.source.user.email.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.user == null) { - ctx.user = new HashMap(); - } - ctx.user.name = splitmail[0]; - ctx.source.user.name = splitmail[0]; - ctx.user.domain = splitmail[1]; - ctx.source.user.domain = splitmail[1]; - - script: - lang: painless - if: 'ctx?.google_workspace?.admin?.group?.email != null && ctx?.google_workspace?.admin?.group?.email.contains("@")' - source: > - String[] splitmail = ctx.google_workspace.admin.group.email.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.group == null) { - ctx.group = new HashMap(); - } - ctx.group.name = splitmail[0]; - ctx.group.domain = splitmail[1]; - - script: - lang: painless - if: 'ctx?.google_workspace?.admin?.user?.email != null && ctx?.google_workspace?.admin?.user?.email.contains("@")' - source: > - String[] splitmail = ctx.google_workspace.admin.user.email.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.related == null) { - ctx.related = new HashMap(); - } - if (ctx.user == null) { - ctx.user = new HashMap(); - } - if (ctx.user.target == null) { - ctx.user.target = new HashMap(); - } - ctx.user.target.name = splitmail[0]; - ctx.user.target.domain = splitmail[1]; - ctx.user.target.email = ctx.google_workspace.admin.user.email; - - set: - field: user.target.group.name - copy_from: group.name - if: ctx?.group?.name != null - - set: - field: user.target.group.domain - copy_from: group.domain - if: ctx?.group?.domain != null - - script: - lang: painless - if: 'ctx?.event?.start != null && ctx?.event?.end != null' - source: >- - ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); - ZonedDateTime end = ZonedDateTime.parse(ctx.event.end); - ctx.event.duration = ChronoUnit.NANOS.between(start, end); - - convert: - field: google_workspace.admin.bulk_upload.total - type: long - ignore_missing: true - - convert: - field: google_workspace.admin.bulk_upload.failed - type: long - ignore_missing: true - - set: - field: event.outcome - value: success - if: 'ctx?.google_workspace?.admin?.group?.bulk_upload?.failed != null && ctx?.google_workspace?.admin?.group?.bulk_upload?.failed == 0' - - set: - field: event.outcome - value: failure - if: 'ctx?.google_workspace?.admin?.group?.bulk_upload?.failed != null && ctx?.google_workspace?.admin?.group?.bulk_upload?.failed != 0' - - split: - field: google_workspace.admin.WHITELISTED_GROUPS - target_field: google_workspace.admin.group.allowed_list - separator: ',' - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.ip != null - allow_duplicates: false - - append: - field: related.user - value: "{{source.user.name}}" - if: ctx?.source?.user?.name != null - allow_duplicates: false - - append: - field: related.user - value: "{{user.target.name}}" - if: ctx?.user?.target?.name != null - allow_duplicates: false - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - convert: - field: event.id - type: string - ignore_missing: true - - convert: - field: source.user.id - type: string - ignore_missing: true - - convert: - field: user.id - type: string - ignore_missing: true - - remove: - field: - - json - - google_workspace.admin.EMAIL_LOG_SEARCH_END_DATE - - google_workspace.admin.EMAIL_LOG_SEARCH_START_DATE - - google_workspace.admin.BIRTHDATE - - google_workspace.admin.BEGIN_DATE_TIME - - google_workspace.admin.START_DATE - - google_workspace.admin.END_DATE - - google_workspace.admin.END_DATE_TIME - - google_workspace.admin.WHITELISTED_GROUPS - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/google_workspace/1.5.0/data_stream/admin/fields/agent.yml b/packages/google_workspace/1.5.0/data_stream/admin/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/admin/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/google_workspace/1.5.0/data_stream/admin/fields/base-fields.yml b/packages/google_workspace/1.5.0/data_stream/admin/fields/base-fields.yml deleted file mode 100755 index 5913006667..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/admin/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: google_workspace -- name: event.dataset - type: constant_keyword - description: Event dataset - value: google_workspace.admin -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/google_workspace/1.5.0/data_stream/admin/fields/ecs.yml b/packages/google_workspace/1.5.0/data_stream/admin/fields/ecs.yml deleted file mode 100755 index cf45f5e9aa..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/admin/fields/ecs.yml +++ /dev/null @@ -1,290 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: Unique identifier for the organization. - name: organization.id - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.domain - type: keyword -- description: User email address. - name: source.user.email - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: url.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: Username of the request. - name: url.username - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.domain - type: keyword -- description: User email address. - name: user.target.email - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.target.group.id - type: keyword -- description: Name of the group. - name: user.target.group.name - type: keyword -- description: Unique identifier of the user. - name: user.target.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword diff --git a/packages/google_workspace/1.5.0/data_stream/admin/fields/fields.yml b/packages/google_workspace/1.5.0/data_stream/admin/fields/fields.yml deleted file mode 100755 index 642107f70f..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/admin/fields/fields.yml +++ /dev/null @@ -1,259 +0,0 @@ -- name: google_workspace.admin - type: group - fields: - - name: application.edition - type: keyword - description: The Google Workspace edition. - - name: application.name - type: keyword - description: The application's name. - - name: application.enabled - type: keyword - description: The enabled application. - - name: application.licences_order_number - type: keyword - description: Order number used to redeem licenses. - - name: application.licences_purchased - type: long - description: Number of licences purchased. - - name: application.id - type: keyword - description: The application ID. - - name: application.asp_id - type: keyword - description: The application specific password ID. - - name: application.package_id - type: keyword - description: The mobile application package ID. - - name: group.email - type: keyword - description: The group's primary email address. - - name: new_value - type: keyword - description: The new value for the setting. - - name: old_value - type: keyword - description: The old value for the setting. - - name: org_unit.name - type: keyword - description: The organizational unit name. - - name: org_unit.full - type: keyword - description: The org unit full path including the root org unit name. - - name: setting.name - type: keyword - description: The setting name. - - name: user_defined_setting.name - type: keyword - description: The name of the user-defined setting. - - name: setting.description - type: keyword - description: The setting name. - - name: group.priorities - type: keyword - description: Group priorities. - - name: domain.alias - type: keyword - description: The domain alias. - - name: domain.name - type: keyword - description: The primary domain name. - - name: domain.secondary_name - type: keyword - description: The secondary domain name. - - name: managed_configuration - type: keyword - description: The name of the managed configuration. - - name: non_featured_services_selection - type: keyword - description: | - Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED - - name: field - type: keyword - description: The name of the field. - - name: resource.id - type: keyword - description: The name of the resource identifier. - - name: user.email - type: keyword - description: The user's primary email address. - - name: user.nickname - type: keyword - description: The user's nickname. - - name: user.birthdate - type: date - description: The user's birth date. - - name: gateway.name - type: keyword - description: Gateway name. Present on some chat settings. - - name: chrome_os.session_type - type: keyword - description: Chrome OS session type. - - name: device.serial_number - type: keyword - description: Device serial number. - - name: device.id - type: keyword - - name: device.type - type: keyword - description: Device type. - - name: print_server.name - type: keyword - description: The name of the print server. - - name: printer.name - type: keyword - description: The name of the printer. - - name: device.command_details - type: keyword - description: Command details. - - name: role.id - type: keyword - description: Unique identifier for this role privilege. - - name: role.name - type: keyword - description: | - The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings - - name: privilege.name - type: keyword - description: Privilege name. - - name: service.name - type: keyword - description: The service name. - - name: url.name - type: keyword - description: The website name. - - name: product.name - type: keyword - description: The product name. - - name: product.sku - type: keyword - description: The product SKU. - - name: bulk_upload.failed - type: long - description: Number of failed records in bulk upload operation. - - name: bulk_upload.total - type: long - description: Number of total records in bulk upload operation. - - name: group.allowed_list - type: keyword - description: Names of allow-listed groups. - - name: email.quarantine_name - type: keyword - description: The name of the quarantine. - - name: email.log_search_filter.message_id - type: keyword - description: The log search filter's email message ID. - - name: email.log_search_filter.start_date - type: date - description: The log search filter's start date. - - name: email.log_search_filter.end_date - type: date - description: The log search filter's ending date. - - name: email.log_search_filter.recipient.value - type: keyword - description: The log search filter's email recipient. - - name: email.log_search_filter.sender.value - type: keyword - description: The log search filter's email sender. - - name: email.log_search_filter.recipient.ip - type: ip - description: The log search filter's email recipient's IP address. - - name: email.log_search_filter.sender.ip - type: ip - description: The log search filter's email sender's IP address. - - name: chrome_licenses.enabled - type: keyword - description: | - Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings - - name: chrome_licenses.allowed - type: keyword - description: | - Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings - - name: oauth2.service.name - type: keyword - description: | - OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings - - name: oauth2.application.id - type: keyword - description: OAuth2 application ID. - - name: oauth2.application.name - type: keyword - description: OAuth2 application name. - - name: oauth2.application.type - type: keyword - description: | - OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings - - name: verification_method - type: keyword - description: | - Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings - - name: alert.name - type: keyword - description: The alert name. - - name: rule.name - type: keyword - description: The rule name. - - name: api.client.name - type: keyword - description: The API client name. - - name: api.scopes - type: keyword - description: The API scopes. - - name: mdm.token - type: keyword - description: The MDM vendor enrollment token. - - name: mdm.vendor - type: keyword - description: The MDM vendor's name. - - name: info_type - type: keyword - description: | - This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings - - name: email_monitor.dest_email - type: keyword - description: The destination address of the email monitor. - - name: email_monitor.level.chat - type: keyword - description: The chat email monitor level. - - name: email_monitor.level.draft - type: keyword - description: The draft email monitor level. - - name: email_monitor.level.incoming - type: keyword - description: The incoming email monitor level. - - name: email_monitor.level.outgoing - type: keyword - description: The outgoing email monitor level. - - name: email_dump.include_deleted - type: boolean - description: Indicates if deleted emails are included in the export. - - name: email_dump.package_content - type: keyword - description: The contents of the mailbox package. - - name: email_dump.query - type: keyword - description: The search query used for the dump. - - name: request.id - type: keyword - description: The request ID. - - name: mobile.action.id - type: keyword - description: The mobile device action's ID. - - name: mobile.action.type - type: keyword - description: | - The mobile device action's type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings - - name: mobile.certificate.name - type: keyword - description: The mobile certificate common name. - - name: mobile.company_owned_devices - type: long - description: The number of devices a company owns. - - name: distribution.entity.name - type: keyword - description: | - The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings - - name: distribution.entity.type - type: keyword - description: | - The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings diff --git a/packages/google_workspace/1.5.0/data_stream/admin/fields/package-fields.yml b/packages/google_workspace/1.5.0/data_stream/admin/fields/package-fields.yml deleted file mode 100755 index 6aaf0c1ca5..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/admin/fields/package-fields.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: google_workspace - type: group - fields: - - name: actor.type - type: keyword - description: | - The type of actor. - Values can be: - *USER*: Another user in the same domain. - *EXTERNAL_USER*: A user outside the domain. - *KEY*: A non-human actor. - - name: actor.key - type: keyword - description: | - Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. - - name: event.type - type: keyword - description: | - The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - name: kind - type: keyword - description: | - The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - name: organization.domain - type: keyword - description: | - The domain that is affected by the report's event. diff --git a/packages/google_workspace/1.5.0/data_stream/admin/manifest.yml b/packages/google_workspace/1.5.0/data_stream/admin/manifest.yml deleted file mode 100755 index 5be2f1ef22..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/admin/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Admin logs -streams: - - input: httpjson - template_path: httpjson.yml.hbs - title: Admin logs (httpjson) - description: Collect admin logs using httpjson input - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - google-workspace-admin - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/google_workspace/1.5.0/data_stream/admin/sample_event.json b/packages/google_workspace/1.5.0/data_stream/admin/sample_event.json deleted file mode 100755 index 6479395033..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/admin/sample_event.json +++ /dev/null @@ -1,116 +0,0 @@ -{ - "@timestamp": "2022-02-02T12:23:57.000Z", - "agent": { - "ephemeral_id": "68cf8bd1-0ff1-4c77-a4e7-64ab24882a9c", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "google_workspace.admin", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "CHANGE_APPLICATION_SETTING", - "agent_id_status": "verified", - "category": [ - "iam", - "configuration" - ], - "created": "2022-02-03T12:23:57.797Z", - "dataset": "google_workspace.admin", - "id": "1", - "ingested": "2022-02-03T12:23:58Z", - "provider": "admin", - "type": [ - "change" - ] - }, - "google_workspace": { - "actor": { - "type": "USER" - }, - "admin": { - "application": { - "edition": "basic", - "name": "drive" - }, - "group": { - "email": "group@example.com" - }, - "new_value": "new", - "old_value": "old", - "org_unit": { - "name": "org" - }, - "setting": { - "name": "setting" - } - }, - "event": { - "type": "APPLICATION_SETTINGS" - }, - "kind": "admin#reports#activity", - "organization": { - "domain": "elastic.com" - } - }, - "group": { - "domain": "example.com", - "name": "group" - }, - "input": { - "type": "httpjson" - }, - "organization": { - "id": "1" - }, - "related": { - "ip": [ - "98.235.162.24" - ], - "user": [ - "foo" - ] - }, - "source": { - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, Inc." - } - }, - "ip": "98.235.162.24", - "user": { - "domain": "bar.com", - "email": "foo@bar.com", - "id": "1", - "name": "foo" - } - }, - "tags": [ - "forwarded", - "google-workspace-admin" - ], - "user": { - "domain": "bar.com", - "id": "1", - "name": "foo", - "target": { - "group": { - "domain": "example.com", - "name": "group" - } - } - } -} \ No newline at end of file diff --git a/packages/google_workspace/1.5.0/data_stream/drive/agent/stream/httpjson.yml.hbs b/packages/google_workspace/1.5.0/data_stream/drive/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 510c49aabb..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/drive/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,44 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.oauth2.provider: google -auth.oauth2.google.jwt_file: {{jwt_file}} -auth.oauth2.google.jwt_json: {{jwt_json}} -auth.oauth2.google.delegated_account: {{delegated_account}} -auth.oauth2.scopes: - - https://www.googleapis.com/auth/admin.reports.audit.readonly -request.url: {{api_host}}/admin/reports/v1/activity/users/{{user_key}}/applications/drive -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: - - set: - target: url.params.startTime - value: '[[if eq .last_response.page 0]][[.cursor.last_execution_datetime]][[else]][[.last_response.url.params.Get "startTime"]][[end]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' -response.split: - target: body.items - split: - target: body.events - keep_parent: true -response.pagination: - - set: - target: url.params.pageToken - value: "[[.last_response.body.nextPageToken]]" - fail_on_template_error: true -cursor: - last_execution_datetime: - value: "[[formatDate now]]" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/google_workspace/1.5.0/data_stream/drive/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/1.5.0/data_stream/drive/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 85f487e7a8..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/drive/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,268 +0,0 @@ ---- -description: Pipeline for parsing google_workspace logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: file - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.id.time - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - - rename: - field: json.events.name - target_field: event.action - ignore_missing: true - - fingerprint: - description: Hashes the ID object and uses it as the document id to avoid duplicate events. - fields: - - json.id - target_field: _id - ignore_missing: true - ignore_failure: true - - rename: - field: json.id.applicationName - target_field: event.provider - ignore_missing: true - - convert: - field: json.id.uniqueQualifier - target_field: event.id - type: string - ignore_missing: true - - rename: - field: json.actor.email - target_field: source.user.email - ignore_missing: true - - convert: - field: json.actor.profileId - target_field: source.user.id - type: string - ignore_missing: true - - set: - field: user.id - copy_from: source.user.id - if: ctx?.source?.user?.id != null - - rename: - field: json.ipAddress - target_field: source.ip - ignore_missing: true - - rename: - field: json.kind - target_field: google_workspace.kind - ignore_missing: true - - rename: - field: json.id.customerId - target_field: organization.id - ignore_missing: true - - rename: - field: json.actor.callerType - target_field: google_workspace.actor.type - ignore_missing: true - - rename: - field: json.actor.key - target_field: google_workspace.actor.key - ignore_missing: true - - rename: - field: json.ownerDomain - target_field: google_workspace.organization.domain - ignore_missing: true - - rename: - field: json.events.type - target_field: google_workspace.event.type - ignore_missing: true - - script: - lang: painless - if: 'ctx?.source?.user?.email != null && ctx?.source?.user?.email.contains("@")' - source: > - String[] splitmail = ctx.source.user.email.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.user == null) { - ctx.user = new HashMap(); - } - ctx.user.name = splitmail[0]; - ctx.source.user.name = splitmail[0]; - ctx.user.domain = splitmail[1]; - ctx.source.user.domain = splitmail[1]; - - append: - field: event.type - value: change - if: '["add_to_folder", "edit", "add_lock", "move", "remove_from_folder", "rename", "remove_lock", "sheets_import_range", "approval_canceled", "approval_comment_added", "approval_requested", "approval_reviewer_responded", "change_acl_editors", "change_document_access_scope", "change_document_visibility", "shared_drive_membership_change", "shared_drive_settings_change", "sheets_import_range_access_change", "change_user_access"].contains(ctx?.event?.action)' - - append: - field: event.category - value: iam - if: '["approval_canceled", "approval_comment_added", "approval_requested", "approval_reviewer_responded", "change_acl_editors", "change_document_access_scope", "change_document_visibility", "shared_drive_membership_change", "shared_drive_settings_change", "sheets_import_range_access_change", "change_user_access"].contains(ctx?.event?.action)' - - append: - field: event.category - value: configuration - if: '["approval_canceled", "approval_comment_added", "approval_requested", "approval_reviewer_responded", "change_acl_editors", "change_document_access_scope", "change_document_visibility", "shared_drive_membership_change", "shared_drive_settings_change", "sheets_import_range_access_change", "change_user_access"].contains(ctx?.event?.action)' - - append: - field: event.type - value: creation - if: '["create", "untrash", "upload"].contains(ctx?.event?.action)' - - append: - field: event.type - value: deletion - if: '["delete", "trash"].contains(ctx?.event?.action)' - - append: - field: event.type - value: info - if: '["download", "preview", "print", "view"].contains(ctx?.event?.action)' - - script: - lang: painless - if: 'ctx?.json?.events?.parameters != null && ctx?.json?.events?.parameters instanceof List' - source: > - if (ctx.google_workspace.drive == null) { - ctx.google_workspace.drive = new HashMap(); - } - for (int i = 0; i < ctx.json.events.parameters.length; ++i) { - if (ctx["json"]["events"]["parameters"][i]["value"] != null) { - ctx.google_workspace.drive[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["value"]; - } - if (ctx["json"]["events"]["parameters"][i]["multiValue"] != null) { - ctx.google_workspace.drive[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["multiValue"]; - } - if (ctx["json"]["events"]["parameters"][i]["boolValue"] != null) { - ctx.google_workspace.drive[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["boolValue"]; - } - } - - rename: - field: google_workspace.drive.doc_id - target_field: google_workspace.drive.file.id - ignore_missing: true - - rename: - field: google_workspace.drive.doc_title - target_field: file.name - ignore_missing: true - - rename: - field: google_workspace.drive.doc_type - target_field: google_workspace.drive.file.type - ignore_missing: true - - rename: - field: google_workspace.drive.owner - target_field: google_workspace.drive.file.owner.email - ignore_missing: true - - rename: - field: google_workspace.drive.owner_is_shared_drive - target_field: google_workspace.drive.file.owner.is_shared_drive - ignore_missing: true - - rename: - field: google_workspace.drive.new_settings_state - target_field: google_workspace.drive.new_value - ignore_missing: true - - rename: - field: google_workspace.drive.old_settings_state - target_field: google_workspace.drive.old_value - ignore_missing: true - - rename: - field: google_workspace.drive.target_user - target_field: google_workspace.drive.target - ignore_missing: true - - set: - field: file.type - value: dir - if: '["folder", "shared"].contains(ctx?.google_workspace?.drive?.file?.type)' - - set: - field: file.type - value: file - if: ctx?.file?.type == null - - script: - lang: painless - if: ctx?.file?.name != null - source: > - def path = ctx.file.name; - def extIdx = path.lastIndexOf("."); - if (extIdx > -1) { - ctx.file.extension = path.substring(extIdx+1); - } - - script: - lang: painless - if: 'ctx?.google_workspace?.drive?.target != null && ctx?.google_workspace?.drive?.target.contains("@")' - source: > - String[] splitmail = ctx.google_workspace.drive.target.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.related == null) { - ctx.related = new HashMap(); - } - if (ctx.related.user == null) { - ctx.related.user = new ArrayList(); - } - ctx.related.user.add(splitmail[0]); - - script: - lang: painless - if: 'ctx?.google_workspace?.drive?.file?.owner?.email != null && ctx?.google_workspace?.drive?.file?.owner?.email.contains("@")' - source: > - String[] splitmail = ctx.google_workspace.drive.file.owner.email.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.file == null) { - ctx.file = new HashMap(); - } - ctx.file.owner = splitmail[0]; - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.ip != null - allow_duplicates: false - - append: - field: related.user - value: "{{file.owner}}" - if: ctx?.file?.owner != null - allow_duplicates: false - - append: - field: related.user - value: "{{source.user.name}}" - if: ctx?.source?.user?.name != null - allow_duplicates: false - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - remove: - field: - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/google_workspace/1.5.0/data_stream/drive/fields/agent.yml b/packages/google_workspace/1.5.0/data_stream/drive/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/drive/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/google_workspace/1.5.0/data_stream/drive/fields/base-fields.yml b/packages/google_workspace/1.5.0/data_stream/drive/fields/base-fields.yml deleted file mode 100755 index 0ea1dcfcb3..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/drive/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: google_workspace -- name: event.dataset - type: constant_keyword - description: Event dataset - value: google_workspace.drive -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/google_workspace/1.5.0/data_stream/drive/fields/ecs.yml b/packages/google_workspace/1.5.0/data_stream/drive/fields/ecs.yml deleted file mode 100755 index 69f294179c..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/drive/fields/ecs.yml +++ /dev/null @@ -1,236 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: File owner's username. - name: file.owner - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Unique identifier for the organization. - name: organization.id - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.domain - type: keyword -- description: User email address. - name: source.user.email - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.domain - type: keyword -- description: User email address. - name: user.target.email - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.target.group.id - type: keyword -- description: Name of the group. - name: user.target.group.name - type: keyword -- description: Unique identifier of the user. - name: user.target.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword diff --git a/packages/google_workspace/1.5.0/data_stream/drive/fields/fields.yml b/packages/google_workspace/1.5.0/data_stream/drive/fields/fields.yml deleted file mode 100755 index 85a89be11c..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/drive/fields/fields.yml +++ /dev/null @@ -1,84 +0,0 @@ -- name: google_workspace.drive - type: group - fields: - - name: billable - type: boolean - description: Whether this activity is billable. - - name: source_folder_id - type: keyword - - name: source_folder_title - type: keyword - - name: destination_folder_id - type: keyword - - name: destination_folder_title - type: keyword - - name: file.id - type: keyword - - name: file.type - type: keyword - description: | - Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - - name: originating_app_id - type: keyword - description: | - The Google Cloud Project ID of the application that performed the action. - - name: file.owner.email - type: keyword - - name: file.owner.is_shared_drive - type: boolean - description: | - Boolean flag denoting whether owner is a shared drive. - - name: primary_event - type: boolean - description: | - Whether this is a primary event. A single user action in Drive may generate several events. - - name: shared_drive_id - type: keyword - description: | - The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. - - name: visibility - type: keyword - description: | - Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - - name: new_value - type: keyword - description: | - When a setting or property of the file changes, the new value for it will appear here. - - name: old_value - type: keyword - description: | - When a setting or property of the file changes, the old value for it will appear here. - - name: sheets_import_range_recipient_doc - type: keyword - description: Doc ID of the recipient of a sheets import range. - - name: old_visibility - type: keyword - description: | - When visibility changes, this holds the old value. - - name: visibility_change - type: keyword - description: | - When visibility changes, this holds the new overall visibility of the file. - - name: target_domain - type: keyword - description: | - The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. - - name: added_role - type: keyword - description: | - Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - - name: membership_change_type - type: keyword - description: | - Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - - name: shared_drive_settings_change_type - type: keyword - description: | - Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - - name: removed_role - type: keyword - description: | - Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - - name: target - type: keyword - description: Target user or group. diff --git a/packages/google_workspace/1.5.0/data_stream/drive/fields/package-fields.yml b/packages/google_workspace/1.5.0/data_stream/drive/fields/package-fields.yml deleted file mode 100755 index 6aaf0c1ca5..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/drive/fields/package-fields.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: google_workspace - type: group - fields: - - name: actor.type - type: keyword - description: | - The type of actor. - Values can be: - *USER*: Another user in the same domain. - *EXTERNAL_USER*: A user outside the domain. - *KEY*: A non-human actor. - - name: actor.key - type: keyword - description: | - Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. - - name: event.type - type: keyword - description: | - The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - name: kind - type: keyword - description: | - The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - name: organization.domain - type: keyword - description: | - The domain that is affected by the report's event. diff --git a/packages/google_workspace/1.5.0/data_stream/drive/manifest.yml b/packages/google_workspace/1.5.0/data_stream/drive/manifest.yml deleted file mode 100755 index ef6840f241..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/drive/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Drive logs -streams: - - input: httpjson - template_path: httpjson.yml.hbs - title: Drive logs (httpjson) - description: Collect drive logs using httpjson input - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - google-workspace-drive - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/google_workspace/1.5.0/data_stream/drive/sample_event.json b/packages/google_workspace/1.5.0/data_stream/drive/sample_event.json deleted file mode 100755 index 3a1ed6c11c..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/drive/sample_event.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "@timestamp": "2022-02-02T12:24:50.000Z", - "agent": { - "ephemeral_id": "3160d231-025f-4e24-9581-72458c960fca", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "google_workspace.drive", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "add_to_folder", - "agent_id_status": "verified", - "category": [ - "file" - ], - "created": "2022-02-03T12:24:50.101Z", - "dataset": "google_workspace.drive", - "id": "1", - "ingested": "2022-02-03T12:24:51Z", - "provider": "drive", - "type": [ - "change" - ] - }, - "file": { - "name": "document title", - "owner": "owner", - "type": "file" - }, - "google_workspace": { - "actor": { - "type": "USER" - }, - "drive": { - "billable": false, - "destination_folder_id": "1234", - "destination_folder_title": "folder title", - "file": { - "id": "1234", - "owner": { - "email": "owner@example.com", - "is_shared_drive": false - }, - "type": "document" - }, - "originating_app_id": "1234", - "primary_event": true, - "visibility": "people_with_link" - }, - "event": { - "type": "access" - }, - "kind": "admin#reports#activity", - "organization": { - "domain": "elastic.com" - } - }, - "input": { - "type": "httpjson" - }, - "organization": { - "id": "1" - }, - "related": { - "ip": [ - "98.235.162.24" - ], - "user": [ - "owner", - "foo" - ] - }, - "source": { - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, Inc." - } - }, - "ip": "98.235.162.24", - "user": { - "domain": "bar.com", - "email": "foo@bar.com", - "id": "1", - "name": "foo" - } - }, - "tags": [ - "forwarded", - "google-workspace-drive" - ], - "user": { - "domain": "bar.com", - "id": "1", - "name": "foo" - } -} \ No newline at end of file diff --git a/packages/google_workspace/1.5.0/data_stream/groups/agent/stream/httpjson.yml.hbs b/packages/google_workspace/1.5.0/data_stream/groups/agent/stream/httpjson.yml.hbs deleted file mode 100755 index f0699fc2de..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/groups/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,44 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.oauth2.provider: google -auth.oauth2.google.jwt_file: {{jwt_file}} -auth.oauth2.google.jwt_json: {{jwt_json}} -auth.oauth2.google.delegated_account: {{delegated_account}} -auth.oauth2.scopes: - - https://www.googleapis.com/auth/admin.reports.audit.readonly -request.url: {{api_host}}/admin/reports/v1/activity/users/{{user_key}}/applications/groups -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: - - set: - target: url.params.startTime - value: '[[if eq .last_response.page 0]][[.cursor.last_execution_datetime]][[else]][[.last_response.url.params.Get "startTime"]][[end]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' -response.split: - target: body.items - split: - target: body.events - keep_parent: true -response.pagination: - - set: - target: url.params.pageToken - value: "[[.last_response.body.nextPageToken]]" - fail_on_template_error: true -cursor: - last_execution_datetime: - value: "[[formatDate now]]" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/google_workspace/1.5.0/data_stream/groups/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/1.5.0/data_stream/groups/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index da25fdedc4..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/groups/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,300 +0,0 @@ ---- -description: Pipeline for parsing google_workspace logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: iam - - append: - field: event.type - value: group - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.id.time - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - - rename: - field: json.events.name - target_field: event.action - ignore_missing: true - - fingerprint: - description: Hashes the ID object and uses it as the document id to avoid duplicate events. - fields: - - json.id - target_field: _id - ignore_missing: true - ignore_failure: true - - rename: - field: json.id.applicationName - target_field: event.provider - ignore_missing: true - - convert: - field: json.id.uniqueQualifier - target_field: event.id - type: string - ignore_missing: true - - rename: - field: json.actor.email - target_field: source.user.email - ignore_missing: true - - convert: - field: json.actor.profileId - target_field: source.user.id - type: string - ignore_missing: true - - convert: - field: json.ipAddress - target_field: source.ip - type: ip - ignore_missing: true - - rename: - field: json.kind - target_field: google_workspace.kind - ignore_missing: true - - convert: - field: json.id.customerId - target_field: organization.id - type: string - ignore_missing: true - - rename: - field: json.actor.callerType - target_field: google_workspace.actor.type - ignore_missing: true - - rename: - field: json.actor.key - target_field: google_workspace.actor.key - ignore_missing: true - - rename: - field: json.ownerDomain - target_field: google_workspace.organization.domain - ignore_missing: true - - rename: - field: json.events.type - target_field: google_workspace.event.type - ignore_missing: true - - set: - field: user.id - copy_from: source.user.id - if: ctx?.source?.user?.id != null - - script: - lang: painless - if: 'ctx?.source?.user?.email != null && ctx?.source?.user?.email.contains("@")' - source: > - String[] splitmail = ctx.source.user.email.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.user == null) { - ctx.user = new HashMap(); - } - ctx.user.name = splitmail[0]; - ctx.source.user.name = splitmail[0]; - ctx.user.domain = splitmail[1]; - ctx.source.user.domain = splitmail[1]; - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.ip != null - allow_duplicates: false - - append: - field: related.user - value: "{{source.user.name}}" - if: ctx?.source?.user?.name != null - allow_duplicates: false - - append: - field: event.type - value: change - if: '["change_basic_setting", "change_identity_setting", "change_info_setting", "change_new_members_restrictions_setting", "change_post_replies_setting", "change_spam_moderation_setting", "change_topic_setting", "change_acl_permission", "approve_join_request", "join"].contains(ctx?.event?.action)' - - append: - field: event.category - value: configuration - if: '["change_basic_setting", "change_identity_setting", "change_info_setting", "change_new_members_restrictions_setting", "change_post_replies_setting", "change_spam_moderation_setting", "change_topic_setting", "add_info_setting", "remove_info_setting"].contains(ctx?.event?.action)' - - append: - field: event.type - value: info - if: '["accept_invitation", "request_to_join", "ban_user_with_moderation", "revoke_invitation", "invite_user", "reject_join_request", "reinvite_user", "moderate_message", "always_post_from_user"].contains(ctx?.event?.action)' - - append: - field: event.type - value: user - if: '["accept_invitation", "approve_join_request", "join", "request_to_join", "ban_user_with_moderation", "revoke_invitation", "invite_user", "reject_join_request", "reinvite_user", "add_user", "remove_user"].contains(ctx?.event?.action)' - - append: - field: event.type - value: creation - if: '["create_group", "add_info_setting", "add_user"].contains(ctx?.event?.action)' - - append: - field: event.type - value: deletion - if: '["delete_group", "remove_info_setting", "remove_user"].contains(ctx?.event?.action)' - - script: - lang: painless - if: 'ctx?.json?.events?.parameters != null && ctx?.json?.events?.parameters instanceof List' - source: > - if (ctx.google_workspace.groups == null) { - ctx.google_workspace.groups = new HashMap(); - } - for (int i = 0; i < ctx.json.events.parameters.length; ++i) { - if (ctx["json"]["events"]["parameters"][i]["value"] != null) { - ctx.google_workspace.groups[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["value"]; - } - if (ctx["json"]["events"]["parameters"][i]["intValue"] != null) { - ctx.google_workspace.groups[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["intValue"]; - } - if (ctx["json"]["events"]["parameters"][i]["multiValue"] != null) { - ctx.google_workspace.groups[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["multiValue"]; - } - } - - rename: - field: google_workspace.groups.group_email - target_field: google_workspace.groups.email - ignore_missing: true - - rename: - field: google_workspace.groups.new_value_repeated - target_field: google_workspace.groups.new_value - ignore_missing: true - - rename: - field: google_workspace.groups.old_value_repeated - target_field: google_workspace.groups.old_value - ignore_missing: true - - rename: - field: google_workspace.groups.user_email - target_field: google_workspace.groups.member.email - ignore_missing: true - - rename: - field: google_workspace.groups.basic_setting - target_field: google_workspace.groups.setting - ignore_missing: true - - rename: - field: google_workspace.groups.identity_setting - target_field: google_workspace.groups.setting - ignore_missing: true - - rename: - field: google_workspace.groups.info_setting - target_field: google_workspace.groups.setting - ignore_missing: true - - rename: - field: google_workspace.groups.new_members_restrictions_setting - target_field: google_workspace.groups.setting - ignore_missing: true - - rename: - field: google_workspace.groups.post_replies_setting - target_field: google_workspace.groups.setting - ignore_missing: true - - rename: - field: google_workspace.groups.spam_moderation_setting - target_field: google_workspace.groups.setting - ignore_missing: true - - rename: - field: google_workspace.groups.topic_setting - target_field: google_workspace.groups.setting - ignore_missing: true - - rename: - field: google_workspace.groups.message_id - target_field: google_workspace.groups.message.id - ignore_missing: true - - rename: - field: google_workspace.groups.message_moderation_action - target_field: google_workspace.groups.message.moderation_action - ignore_missing: true - - rename: - field: google_workspace.groups.member_role - target_field: google_workspace.groups.member.role - ignore_missing: true - - set: - field: event.outcome - value: failure - if: 'ctx?.google_workspace?.groups?.status == "failed"' - - set: - field: event.outcome - value: success - if: 'ctx?.google_workspace?.groups?.status == "success"' - - script: - lang: painless - if: 'ctx?.google_workspace?.groups?.email != null && ctx?.google_workspace?.groups?.email.contains("@")' - source: > - String[] splitmail = ctx.google_workspace.groups.email.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.group == null) { - ctx.group = new HashMap(); - } - ctx.group.name = splitmail[0]; - ctx.group.domain = splitmail[1]; - - script: - lang: painless - if: 'ctx?.google_workspace?.groups?.member?.email != null && ctx?.google_workspace?.groups?.member?.email.contains("@")' - source: > - String[] splitmail = ctx.google_workspace.groups.member.email.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.user == null) { - ctx.user = new HashMap(); - } - if (ctx.user.target == null) { - ctx.user.target = new HashMap(); - } - if (ctx.related == null) { - ctx.related = new HashMap(); - } - if (ctx.related.user == null) { - ctx.related.user = new ArrayList(); - } - ctx.related.user.add(splitmail[0]); - ctx.user.target.name = splitmail[0]; - ctx.user.target.domain = splitmail[1]; - ctx.user.target.email = ctx.google_workspace.groups.member.email; - - set: - field: user.target.group.name - copy_from: group.name - if: ctx?.group?.name != null - - set: - field: user.target.group.domain - copy_from: group.domain - if: ctx?.group?.domain != null - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - remove: - field: json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/google_workspace/1.5.0/data_stream/groups/fields/agent.yml b/packages/google_workspace/1.5.0/data_stream/groups/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/groups/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/google_workspace/1.5.0/data_stream/groups/fields/base-fields.yml b/packages/google_workspace/1.5.0/data_stream/groups/fields/base-fields.yml deleted file mode 100755 index b265ecedb0..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/groups/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: google_workspace -- name: event.dataset - type: constant_keyword - description: Event dataset - value: google_workspace.groups -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/google_workspace/1.5.0/data_stream/groups/fields/ecs.yml b/packages/google_workspace/1.5.0/data_stream/groups/fields/ecs.yml deleted file mode 100755 index 1f2802e28a..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/groups/fields/ecs.yml +++ /dev/null @@ -1,216 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Unique identifier for the organization. - name: organization.id - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.domain - type: keyword -- description: User email address. - name: source.user.email - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.domain - type: keyword -- description: User email address. - name: user.target.email - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.target.group.id - type: keyword -- description: Name of the group. - name: user.target.group.name - type: keyword -- description: Unique identifier of the user. - name: user.target.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword diff --git a/packages/google_workspace/1.5.0/data_stream/groups/fields/fields.yml b/packages/google_workspace/1.5.0/data_stream/groups/fields/fields.yml deleted file mode 100755 index f80bd11d93..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/groups/fields/fields.yml +++ /dev/null @@ -1,46 +0,0 @@ -- name: google_workspace.groups - type: group - fields: - - name: acl_permission - type: keyword - description: | - Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - - name: email - type: keyword - description: | - Group email. - - name: member.email - type: keyword - description: | - Member email. - - name: member.role - type: keyword - description: | - Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - - name: setting - type: keyword - description: | - Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - - name: new_value - type: keyword - description: | - New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - - name: old_value - type: keyword - description: Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - - name: value - type: keyword - description: | - Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - - name: message.id - type: keyword - description: | - SMTP message Id of an email message. Present for moderation events. - - name: message.moderation_action - type: keyword - description: | - Message moderation action. Possible values are `approved` and `rejected`. - - name: status - type: keyword - description: | - A status describing the output of an operation. Possible values are `failed` and `succeeded`. diff --git a/packages/google_workspace/1.5.0/data_stream/groups/fields/package-fields.yml b/packages/google_workspace/1.5.0/data_stream/groups/fields/package-fields.yml deleted file mode 100755 index 6aaf0c1ca5..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/groups/fields/package-fields.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: google_workspace - type: group - fields: - - name: actor.type - type: keyword - description: | - The type of actor. - Values can be: - *USER*: Another user in the same domain. - *EXTERNAL_USER*: A user outside the domain. - *KEY*: A non-human actor. - - name: actor.key - type: keyword - description: | - Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. - - name: event.type - type: keyword - description: | - The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - name: kind - type: keyword - description: | - The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - name: organization.domain - type: keyword - description: | - The domain that is affected by the report's event. diff --git a/packages/google_workspace/1.5.0/data_stream/groups/manifest.yml b/packages/google_workspace/1.5.0/data_stream/groups/manifest.yml deleted file mode 100755 index 7e74484384..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/groups/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Groups logs -streams: - - input: httpjson - template_path: httpjson.yml.hbs - title: Groups logs (httpjson) - description: Collect groups logs using httpjson input - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - google-workspace-groups - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/google_workspace/1.5.0/data_stream/groups/sample_event.json b/packages/google_workspace/1.5.0/data_stream/groups/sample_event.json deleted file mode 100755 index 315609614d..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/groups/sample_event.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "@timestamp": "2022-02-02T12:25:39.000Z", - "agent": { - "ephemeral_id": "a9599f5d-49a5-4339-9e5e-484f19370712", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "google_workspace.groups", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "change_acl_permission", - "agent_id_status": "verified", - "category": [ - "iam" - ], - "created": "2022-02-03T12:25:39.375Z", - "dataset": "google_workspace.groups", - "id": "1", - "ingested": "2022-02-03T12:25:40Z", - "provider": "groups", - "type": [ - "group", - "change" - ] - }, - "google_workspace": { - "actor": { - "type": "USER" - }, - "event": { - "type": "acl_change" - }, - "groups": { - "acl_permission": "can_add_members", - "email": "group@example.com", - "new_value": [ - "managers", - "members" - ], - "old_value": [ - "managers" - ] - }, - "kind": "admin#reports#activity", - "organization": { - "domain": "elastic.com" - } - }, - "group": { - "domain": "example.com", - "name": "group" - }, - "input": { - "type": "httpjson" - }, - "organization": { - "id": "1" - }, - "related": { - "ip": [ - "98.235.162.24" - ], - "user": [ - "foo" - ] - }, - "source": { - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, Inc." - } - }, - "ip": "98.235.162.24", - "user": { - "domain": "bar.com", - "email": "foo@bar.com", - "id": "1", - "name": "foo" - } - }, - "tags": [ - "forwarded", - "google-workspace-groups" - ], - "user": { - "domain": "bar.com", - "id": "1", - "name": "foo", - "target": { - "group": { - "domain": "example.com", - "name": "group" - } - } - } -} \ No newline at end of file diff --git a/packages/google_workspace/1.5.0/data_stream/login/agent/stream/httpjson.yml.hbs b/packages/google_workspace/1.5.0/data_stream/login/agent/stream/httpjson.yml.hbs deleted file mode 100755 index a8c2e6d9e7..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/login/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,44 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.oauth2.provider: google -auth.oauth2.google.jwt_file: {{jwt_file}} -auth.oauth2.google.jwt_json: {{jwt_json}} -auth.oauth2.google.delegated_account: {{delegated_account}} -auth.oauth2.scopes: - - https://www.googleapis.com/auth/admin.reports.audit.readonly -request.url: {{api_host}}/admin/reports/v1/activity/users/{{user_key}}/applications/login -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: - - set: - target: url.params.startTime - value: '[[if eq .last_response.page 0]][[.cursor.last_execution_datetime]][[else]][[.last_response.url.params.Get "startTime"]][[end]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' -response.split: - target: body.items - split: - target: body.events - keep_parent: true -response.pagination: - - set: - target: url.params.pageToken - value: "[[.last_response.body.nextPageToken]]" - fail_on_template_error: true -cursor: - last_execution_datetime: - value: "[[formatDate now]]" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/google_workspace/1.5.0/data_stream/login/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/1.5.0/data_stream/login/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a4c0266385..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/login/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,245 +0,0 @@ ---- -description: Pipeline for parsing google_workspace logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: authentication - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.id.time - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - - rename: - field: json.events.name - target_field: event.action - ignore_missing: true - - fingerprint: - description: Hashes the ID object and uses it as the document id to avoid duplicate events. - fields: - - json.id - target_field: _id - ignore_missing: true - ignore_failure: true - - rename: - field: json.id.applicationName - target_field: event.provider - ignore_missing: true - - convert: - field: json.id.uniqueQualifier - target_field: event.id - type: string - ignore_missing: true - - rename: - field: json.actor.email - target_field: source.user.email - ignore_missing: true - - convert: - field: json.actor.profileId - target_field: source.user.id - type: string - ignore_missing: true - - convert: - field: json.ipAddress - target_field: source.ip - type: ip - ignore_missing: true - - rename: - field: json.kind - target_field: google_workspace.kind - ignore_missing: true - - convert: - field: json.id.customerId - target_field: organization.id - type: string - ignore_missing: true - - rename: - field: json.actor.callerType - target_field: google_workspace.actor.type - ignore_missing: true - - rename: - field: json.actor.key - target_field: google_workspace.actor.key - ignore_missing: true - - rename: - field: json.ownerDomain - target_field: google_workspace.organization.domain - ignore_missing: true - - rename: - field: json.events.type - target_field: google_workspace.event.type - ignore_missing: true - - script: - lang: painless - if: 'ctx?.source?.user?.email != null && ctx?.source?.user?.email.contains("@")' - source: > - String[] splitmail = ctx.source.user.email.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.user == null) { - ctx.user = new HashMap(); - } - ctx.user.name = splitmail[0]; - ctx.source.user.name = splitmail[0]; - ctx.user.domain = splitmail[1]; - ctx.source.user.domain = splitmail[1]; - - set: - field: user.id - copy_from: source.user.id - if: ctx?.source?.user?.id != null - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.ip != null - allow_duplicates: false - - append: - field: related.user - value: "{{source.user.name}}" - if: ctx?.source?.user?.name != null - allow_duplicates: false - - append: - field: event.category - value: session - if: '["login_failure", "login_success", "logout"].contains(ctx?.event?.action)' - - append: - field: event.type - value: start - if: '["login_failure", "login_success"].contains(ctx?.event?.action)' - - append: - field: event.type - value: end - if: 'ctx?.event?.action == "logout"' - - append: - field: event.type - value: user - if: '["account_disabled_generic", "account_disabled_spamming_through_relay", "account_disabled_spamming", "account_disabled_hijacked", "account_disabled_password_leak"].contains(ctx?.event?.action)' - - append: - field: event.type - value: change - if: '["account_disabled_generic", "account_disabled_spamming_through_relay", "account_disabled_spamming", "account_disabled_hijacked", "account_disabled_password_leak"].contains(ctx?.event?.action)' - - append: - field: event.type - value: info - if: '["gov_attack_warning", "login_challenge", "login_verification", "suspicious_login", "suspicious_login_less_secure_app", "suspicious_programmatic_login"].contains(ctx?.event?.action)' - - set: - field: event.outcome - value: failure - if: 'ctx?.event?.action == "login_failure"' - - set: - field: event.outcome - value: success - if: 'ctx?.event?.action == "login_success"' - - script: - lang: painless - if: 'ctx?.json?.events?.parameters != null && ctx?.json?.events?.parameters instanceof List' - source: > - if (ctx.google_workspace.login == null) { - ctx.google_workspace.login = new HashMap(); - } - for (int i = 0; i < ctx.json.events.parameters.length; ++i) { - if (ctx["json"]["events"]["parameters"][i]["name"] != null && ctx["json"]["events"]["parameters"][i]["name"].startsWith("login_")) { - ctx["json"]["events"]["parameters"][i]["name"] = ctx["json"]["events"]["parameters"][i]["name"].substring(6); - } - if (ctx["json"]["events"]["parameters"][i]["value"] != null) { - ctx.google_workspace.login[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["value"]; - } - if (ctx["json"]["events"]["parameters"][i]["intValue"] != null) { - ctx.google_workspace.login[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["intValue"]; - } - if (ctx["json"]["events"]["parameters"][i]["multiValue"] != null) { - ctx.google_workspace.login[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["multiValue"]; - } - } - - script: - lang: painless - if: ctx?.google_workspace?.login?.timestamp != null - source: > - ctx._temp_ = new HashMap(); - ctx._temp_.start = ctx?.google_workspace?.login.timestamp / 1000; - - date: - field: _temp_.start - target_field: event.start - timezone: UTC - formats: - - UNIX_MS - if: ctx?._temp_?.start != null - - set: - field: event.outcome - value: success - if: 'ctx?.google_workspace?.login?.challenge_status != null && ctx?.event?.outcome == null && ctx?.google_workspace?.login?.challenge_status == "Challenge Passed"' - - set: - field: event.outcome - value: failure - if: 'ctx?.google_workspace?.login?.challenge_status != null && ctx?.event?.outcome == null' - - script: - lang: painless - if: 'ctx?.google_workspace?.login?.affected_email_address != null && ctx?.google_workspace?.login?.affected_email_address.contains("@")' - source: > - String[] splitmail = ctx.google_workspace.login.affected_email_address.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.related == null) { - ctx.related = new HashMap(); - } - if (ctx.related.user == null) { - ctx.related.user = new ArrayList(); - } - if (ctx.user == null) { - ctx.user = new HashMap(); - } - if (ctx.user.target == null) { - ctx.user.target = new HashMap(); - } - ctx.user.target.name = splitmail[0]; - ctx.user.target.domain = splitmail[1]; - ctx.related.user.add(splitmail[0]); - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - remove: - field: - - json - - _temp_ - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/google_workspace/1.5.0/data_stream/login/fields/agent.yml b/packages/google_workspace/1.5.0/data_stream/login/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/login/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/google_workspace/1.5.0/data_stream/login/fields/base-fields.yml b/packages/google_workspace/1.5.0/data_stream/login/fields/base-fields.yml deleted file mode 100755 index cb70f3767f..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/login/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: google_workspace -- name: event.dataset - type: constant_keyword - description: Event dataset - value: google_workspace.login -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/google_workspace/1.5.0/data_stream/login/fields/ecs.yml b/packages/google_workspace/1.5.0/data_stream/login/fields/ecs.yml deleted file mode 100755 index 1f2802e28a..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/login/fields/ecs.yml +++ /dev/null @@ -1,216 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Unique identifier for the organization. - name: organization.id - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.domain - type: keyword -- description: User email address. - name: source.user.email - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.domain - type: keyword -- description: User email address. - name: user.target.email - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.target.group.id - type: keyword -- description: Name of the group. - name: user.target.group.name - type: keyword -- description: Unique identifier of the user. - name: user.target.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword diff --git a/packages/google_workspace/1.5.0/data_stream/login/fields/fields.yml b/packages/google_workspace/1.5.0/data_stream/login/fields/fields.yml deleted file mode 100755 index 23e4416bab..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/login/fields/fields.yml +++ /dev/null @@ -1,29 +0,0 @@ -- name: google_workspace.login - type: group - fields: - - name: affected_email_address - type: keyword - - name: challenge_method - type: keyword - description: | - Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - - name: failure_type - type: keyword - description: | - Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - - name: challenge_status - type: keyword - description: | - Login challenge status. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - - name: timestamp - type: long - description: | - UNIX timestmap of login in microseconds. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - - name: type - type: keyword - description: | - Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - - name: is_second_factor - type: boolean - - name: is_suspicious - type: boolean diff --git a/packages/google_workspace/1.5.0/data_stream/login/fields/package-fields.yml b/packages/google_workspace/1.5.0/data_stream/login/fields/package-fields.yml deleted file mode 100755 index 6aaf0c1ca5..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/login/fields/package-fields.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: google_workspace - type: group - fields: - - name: actor.type - type: keyword - description: | - The type of actor. - Values can be: - *USER*: Another user in the same domain. - *EXTERNAL_USER*: A user outside the domain. - *KEY*: A non-human actor. - - name: actor.key - type: keyword - description: | - Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. - - name: event.type - type: keyword - description: | - The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - name: kind - type: keyword - description: | - The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - name: organization.domain - type: keyword - description: | - The domain that is affected by the report's event. diff --git a/packages/google_workspace/1.5.0/data_stream/login/manifest.yml b/packages/google_workspace/1.5.0/data_stream/login/manifest.yml deleted file mode 100755 index 4adbd3874b..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/login/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Login logs -streams: - - input: httpjson - template_path: httpjson.yml.hbs - title: Login logs (httpjson) - description: Collect login logs using httpjson input - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - google-workspace-login - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/google_workspace/1.5.0/data_stream/login/sample_event.json b/packages/google_workspace/1.5.0/data_stream/login/sample_event.json deleted file mode 100755 index 18ad1d7859..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/login/sample_event.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "@timestamp": "2022-02-02T12:26:31.000Z", - "agent": { - "ephemeral_id": "0b8db1d7-2f2e-4e9d-84d8-f3b4409101ef", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "google_workspace.login", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "account_disabled_password_leak", - "agent_id_status": "verified", - "category": [ - "authentication" - ], - "created": "2022-02-03T12:26:31.037Z", - "dataset": "google_workspace.login", - "id": "1", - "ingested": "2022-02-03T12:26:32Z", - "provider": "login", - "type": [ - "user", - "change" - ] - }, - "google_workspace": { - "actor": { - "type": "USER" - }, - "event": { - "type": "account_warning" - }, - "kind": "admin#reports#activity", - "login": { - "affected_email_address": "foo@elastic.co" - }, - "organization": { - "domain": "elastic.com" - } - }, - "input": { - "type": "httpjson" - }, - "organization": { - "id": "1" - }, - "related": { - "ip": [ - "98.235.162.24" - ], - "user": [ - "foo", - "foo" - ] - }, - "source": { - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, Inc." - } - }, - "ip": "98.235.162.24", - "user": { - "domain": "bar.com", - "email": "foo@bar.com", - "id": "1", - "name": "foo" - } - }, - "tags": [ - "forwarded", - "google-workspace-login" - ], - "user": { - "domain": "bar.com", - "id": "1", - "name": "foo", - "target": { - "domain": "elastic.co", - "name": "foo" - } - } -} \ No newline at end of file diff --git a/packages/google_workspace/1.5.0/data_stream/saml/agent/stream/httpjson.yml.hbs b/packages/google_workspace/1.5.0/data_stream/saml/agent/stream/httpjson.yml.hbs deleted file mode 100755 index dc0abe3102..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/saml/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,44 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.oauth2.provider: google -auth.oauth2.google.jwt_file: {{jwt_file}} -auth.oauth2.google.jwt_json: {{jwt_json}} -auth.oauth2.google.delegated_account: {{delegated_account}} -auth.oauth2.scopes: - - https://www.googleapis.com/auth/admin.reports.audit.readonly -request.url: {{api_host}}/admin/reports/v1/activity/users/{{user_key}}/applications/saml -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: - - set: - target: url.params.startTime - value: '[[if eq .last_response.page 0]][[.cursor.last_execution_datetime]][[else]][[.last_response.url.params.Get "startTime"]][[end]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' -response.split: - target: body.items - split: - target: body.events - keep_parent: true -response.pagination: - - set: - target: url.params.pageToken - value: "[[.last_response.body.nextPageToken]]" - fail_on_template_error: true -cursor: - last_execution_datetime: - value: "[[formatDate now]]" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/google_workspace/1.5.0/data_stream/saml/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/1.5.0/data_stream/saml/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 4124d08c13..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/saml/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,181 +0,0 @@ ---- -description: Pipeline for parsing google_workspace logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.type - value: start - - append: - field: event.category - value: authentication - - append: - field: event.category - value: session - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.id.time - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - - rename: - field: json.events.name - target_field: event.action - ignore_missing: true - - fingerprint: - description: Hashes the ID object and uses it as the document id to avoid duplicate events. - fields: - - json.id - target_field: _id - ignore_missing: true - ignore_failure: true - - rename: - field: json.id.applicationName - target_field: event.provider - ignore_missing: true - - convert: - field: json.id.uniqueQualifier - target_field: event.id - type: string - ignore_missing: true - - rename: - field: json.actor.email - target_field: source.user.email - ignore_missing: true - - convert: - field: json.actor.profileId - target_field: source.user.id - type: string - ignore_missing: true - - set: - field: user.id - copy_from: source.user.id - if: ctx?.source?.user?.id != null - - convert: - field: json.ipAddress - target_field: source.ip - type: ip - ignore_missing: true - - rename: - field: json.kind - target_field: google_workspace.kind - ignore_missing: true - - convert: - field: json.id.customerId - target_field: organization.id - type: string - ignore_missing: true - - rename: - field: json.actor.callerType - target_field: google_workspace.actor.type - ignore_missing: true - - rename: - field: json.actor.key - target_field: google_workspace.actor.key - ignore_missing: true - - rename: - field: json.ownerDomain - target_field: google_workspace.organization.domain - ignore_missing: true - - rename: - field: json.events.type - target_field: google_workspace.event.type - ignore_missing: true - - script: - lang: painless - if: 'ctx?.source?.user?.email != null && ctx?.source?.user?.email.contains("@")' - source: > - String[] splitmail = ctx.source.user.email.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.user == null) { - ctx.user = new HashMap(); - } - ctx.user.name = splitmail[0]; - ctx.source.user.name = splitmail[0]; - ctx.user.domain = splitmail[1]; - ctx.source.user.domain = splitmail[1]; - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.ip != null - allow_duplicates: false - - append: - field: related.user - value: "{{source.user.name}}" - if: ctx?.source?.user?.name != null - allow_duplicates: false - - set: - field: event.outcome - value: success - if: 'ctx?.event?.action == "login_success"' - - set: - field: event.outcome - value: failure - if: 'ctx?.event?.action == "login_failure"' - - script: - lang: painless - if: 'ctx?.json?.events?.parameters != null && ctx?.json?.events?.parameters instanceof List' - source: > - if (ctx.google_workspace.saml == null) { - ctx.google_workspace.saml = new HashMap(); - } - for (int i = 0; i < ctx.json.events.parameters.length; ++i) { - if (ctx["json"]["events"]["parameters"][i]["name"] != null && ctx["json"]["events"]["parameters"][i]["name"].startsWith("saml_")) { - ctx["json"]["events"]["parameters"][i]["name"] = ctx["json"]["events"]["parameters"][i]["name"].substring(5); - } - if (ctx["json"]["events"]["parameters"][i]["value"] != null) { - ctx.google_workspace.saml[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["value"]; - } - if (ctx["json"]["events"]["parameters"][i]["intValue"] != null) { - ctx.google_workspace.saml[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["intValue"]; - } - if (ctx["json"]["events"]["parameters"][i]["multiValue"] != null) { - ctx.google_workspace.saml[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["multiValue"]; - } - } - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - remove: - field: json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/google_workspace/1.5.0/data_stream/saml/fields/agent.yml b/packages/google_workspace/1.5.0/data_stream/saml/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/saml/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/google_workspace/1.5.0/data_stream/saml/fields/base-fields.yml b/packages/google_workspace/1.5.0/data_stream/saml/fields/base-fields.yml deleted file mode 100755 index 660db83315..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/saml/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: google_workspace -- name: event.dataset - type: constant_keyword - description: Event dataset - value: google_workspace.saml -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/google_workspace/1.5.0/data_stream/saml/fields/ecs.yml b/packages/google_workspace/1.5.0/data_stream/saml/fields/ecs.yml deleted file mode 100755 index 1f2802e28a..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/saml/fields/ecs.yml +++ /dev/null @@ -1,216 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Unique identifier for the organization. - name: organization.id - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.domain - type: keyword -- description: User email address. - name: source.user.email - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.domain - type: keyword -- description: User email address. - name: user.target.email - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.target.group.id - type: keyword -- description: Name of the group. - name: user.target.group.name - type: keyword -- description: Unique identifier of the user. - name: user.target.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword diff --git a/packages/google_workspace/1.5.0/data_stream/saml/fields/fields.yml b/packages/google_workspace/1.5.0/data_stream/saml/fields/fields.yml deleted file mode 100755 index f2f39dd64b..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/saml/fields/fields.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: google_workspace.saml - type: group - fields: - - name: application_name - type: keyword - description: | - Saml SP application name. - - name: failure_type - type: keyword - description: | - Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. - - name: initiated_by - type: keyword - description: | - Requester of SAML authentication. - - name: orgunit_path - type: keyword - description: | - User orgunit. - - name: status_code - type: keyword - description: | - SAML status code. - - name: second_level_status_code - type: keyword - description: | - SAML second level status code. diff --git a/packages/google_workspace/1.5.0/data_stream/saml/fields/package-fields.yml b/packages/google_workspace/1.5.0/data_stream/saml/fields/package-fields.yml deleted file mode 100755 index 6aaf0c1ca5..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/saml/fields/package-fields.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: google_workspace - type: group - fields: - - name: actor.type - type: keyword - description: | - The type of actor. - Values can be: - *USER*: Another user in the same domain. - *EXTERNAL_USER*: A user outside the domain. - *KEY*: A non-human actor. - - name: actor.key - type: keyword - description: | - Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. - - name: event.type - type: keyword - description: | - The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - name: kind - type: keyword - description: | - The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - name: organization.domain - type: keyword - description: | - The domain that is affected by the report's event. diff --git a/packages/google_workspace/1.5.0/data_stream/saml/manifest.yml b/packages/google_workspace/1.5.0/data_stream/saml/manifest.yml deleted file mode 100755 index 5b8c5349f1..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/saml/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: SAML logs -streams: - - input: httpjson - template_path: httpjson.yml.hbs - title: SAML logs (httpjson) - description: Collect SAML logs using httpjson input - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - google-workspace-saml - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/google_workspace/1.5.0/data_stream/saml/sample_event.json b/packages/google_workspace/1.5.0/data_stream/saml/sample_event.json deleted file mode 100755 index 239de70218..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/saml/sample_event.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "@timestamp": "2022-02-02T12:27:23.000Z", - "agent": { - "ephemeral_id": "4ffa592e-b9c1-4a7e-8c91-78817747d073", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "google_workspace.saml", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "login_failure", - "agent_id_status": "verified", - "category": [ - "authentication", - "session" - ], - "created": "2022-02-03T12:27:23.007Z", - "dataset": "google_workspace.saml", - "id": "1", - "ingested": "2022-02-03T12:27:24Z", - "outcome": "failure", - "provider": "saml", - "type": [ - "start" - ] - }, - "google_workspace": { - "actor": { - "type": "USER" - }, - "event": { - "type": "login" - }, - "kind": "admin#reports#activity", - "organization": { - "domain": "elastic.com" - }, - "saml": { - "application_name": "app", - "failure_type": "failure_app_not_configured_for_user", - "initiated_by": "idp", - "orgunit_path": "ounit", - "second_level_status_code": "SUCCESS_URI", - "status_code": "SUCCESS_URI" - } - }, - "input": { - "type": "httpjson" - }, - "organization": { - "id": "1" - }, - "related": { - "ip": [ - "98.235.162.24" - ], - "user": [ - "foo" - ] - }, - "source": { - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, Inc." - } - }, - "ip": "98.235.162.24", - "user": { - "domain": "bar.com", - "email": "foo@bar.com", - "id": "1", - "name": "foo" - } - }, - "tags": [ - "forwarded", - "google-workspace-saml" - ], - "user": { - "domain": "bar.com", - "id": "1", - "name": "foo" - } -} \ No newline at end of file diff --git a/packages/google_workspace/1.5.0/data_stream/user_accounts/agent/stream/httpjson.yml.hbs b/packages/google_workspace/1.5.0/data_stream/user_accounts/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 334297c6f8..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/user_accounts/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,44 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.oauth2.provider: google -auth.oauth2.google.jwt_file: {{jwt_file}} -auth.oauth2.google.jwt_json: {{jwt_json}} -auth.oauth2.google.delegated_account: {{delegated_account}} -auth.oauth2.scopes: - - https://www.googleapis.com/auth/admin.reports.audit.readonly -request.url: {{api_host}}/admin/reports/v1/activity/users/{{user_key}}/applications/user_accounts -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: - - set: - target: url.params.startTime - value: '[[if eq .last_response.page 0]][[.cursor.last_execution_datetime]][[else]][[.last_response.url.params.Get "startTime"]][[end]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' -response.split: - target: body.items - split: - target: body.events - keep_parent: true -response.pagination: - - set: - target: url.params.pageToken - value: "[[.last_response.body.nextPageToken]]" - fail_on_template_error: true -cursor: - last_execution_datetime: - value: "[[formatDate now]]" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/google_workspace/1.5.0/data_stream/user_accounts/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/1.5.0/data_stream/user_accounts/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2290902767..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/user_accounts/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,152 +0,0 @@ ---- -description: Pipeline for parsing google_workspace logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.type - value: change - - append: - field: event.type - value: user - - append: - field: event.category - value: iam - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.id.time - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - - rename: - field: json.events.name - target_field: event.action - ignore_missing: true - - fingerprint: - description: Hashes the ID object and uses it as the document id to avoid duplicate events. - fields: - - json.id - target_field: _id - ignore_missing: true - ignore_failure: true - - rename: - field: json.id.applicationName - target_field: event.provider - ignore_missing: true - - convert: - field: json.id.uniqueQualifier - target_field: event.id - type: string - ignore_missing: true - - rename: - field: json.actor.email - target_field: source.user.email - ignore_missing: true - - convert: - field: json.actor.profileId - target_field: source.user.id - type: string - ignore_missing: true - - set: - field: user.id - copy_from: source.user.id - if: ctx?.source?.user?.id != null - - convert: - field: json.ipAddress - target_field: source.ip - type: ip - ignore_missing: true - - rename: - field: json.kind - target_field: google_workspace.kind - ignore_missing: true - - convert: - field: json.id.customerId - target_field: organization.id - type: string - ignore_missing: true - - rename: - field: json.actor.callerType - target_field: google_workspace.actor.type - ignore_missing: true - - rename: - field: json.actor.key - target_field: google_workspace.actor.key - ignore_missing: true - - rename: - field: json.ownerDomain - target_field: google_workspace.organization.domain - ignore_missing: true - - rename: - field: json.events.type - target_field: google_workspace.event.type - ignore_missing: true - - script: - lang: painless - if: 'ctx?.source?.user?.email != null && ctx?.source?.user?.email.contains("@")' - source: > - String[] splitmail = ctx.source.user.email.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.user == null) { - ctx.user = new HashMap(); - } - ctx.user.name = splitmail[0]; - ctx.source.user.name = splitmail[0]; - ctx.user.domain = splitmail[1]; - ctx.source.user.domain = splitmail[1]; - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.ip != null - allow_duplicates: false - - append: - field: related.user - value: "{{source.user.name}}" - if: ctx?.source?.user?.name != null - allow_duplicates: false - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - remove: - field: json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/google_workspace/1.5.0/data_stream/user_accounts/fields/agent.yml b/packages/google_workspace/1.5.0/data_stream/user_accounts/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/user_accounts/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/google_workspace/1.5.0/data_stream/user_accounts/fields/base-fields.yml b/packages/google_workspace/1.5.0/data_stream/user_accounts/fields/base-fields.yml deleted file mode 100755 index 061f34ffc7..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/user_accounts/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: google_workspace -- name: event.dataset - type: constant_keyword - description: Event dataset - value: google_workspace.user_accounts -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/google_workspace/1.5.0/data_stream/user_accounts/fields/ecs.yml b/packages/google_workspace/1.5.0/data_stream/user_accounts/fields/ecs.yml deleted file mode 100755 index 1f2802e28a..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/user_accounts/fields/ecs.yml +++ /dev/null @@ -1,216 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Unique identifier for the organization. - name: organization.id - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.domain - type: keyword -- description: User email address. - name: source.user.email - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.domain - type: keyword -- description: User email address. - name: user.target.email - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.target.group.id - type: keyword -- description: Name of the group. - name: user.target.group.name - type: keyword -- description: Unique identifier of the user. - name: user.target.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword diff --git a/packages/google_workspace/1.5.0/data_stream/user_accounts/fields/package-fields.yml b/packages/google_workspace/1.5.0/data_stream/user_accounts/fields/package-fields.yml deleted file mode 100755 index 6aaf0c1ca5..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/user_accounts/fields/package-fields.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: google_workspace - type: group - fields: - - name: actor.type - type: keyword - description: | - The type of actor. - Values can be: - *USER*: Another user in the same domain. - *EXTERNAL_USER*: A user outside the domain. - *KEY*: A non-human actor. - - name: actor.key - type: keyword - description: | - Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. - - name: event.type - type: keyword - description: | - The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - name: kind - type: keyword - description: | - The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - name: organization.domain - type: keyword - description: | - The domain that is affected by the report's event. diff --git a/packages/google_workspace/1.5.0/data_stream/user_accounts/manifest.yml b/packages/google_workspace/1.5.0/data_stream/user_accounts/manifest.yml deleted file mode 100755 index bda3d1d7c8..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/user_accounts/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: User accounts logs -streams: - - input: httpjson - template_path: httpjson.yml.hbs - title: User accounts logs (httpjson) - description: Collect user accounts logs using httpjson input - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - google-workspace-user-accounts - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/google_workspace/1.5.0/data_stream/user_accounts/sample_event.json b/packages/google_workspace/1.5.0/data_stream/user_accounts/sample_event.json deleted file mode 100755 index ad8b8fb11e..0000000000 --- a/packages/google_workspace/1.5.0/data_stream/user_accounts/sample_event.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "@timestamp": "2022-02-02T12:28:15.000Z", - "agent": { - "ephemeral_id": "3242bd5f-5862-4205-97eb-6aaac7d3f3d5", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "google_workspace.user_accounts", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "2sv_disable", - "agent_id_status": "verified", - "category": [ - "iam" - ], - "created": "2022-02-03T12:28:15.402Z", - "dataset": "google_workspace.user_accounts", - "id": "1", - "ingested": "2022-02-03T12:28:16Z", - "provider": "user_accounts", - "type": [ - "change", - "user" - ] - }, - "google_workspace": { - "actor": { - "type": "USER" - }, - "event": { - "type": "2sv_change" - }, - "kind": "admin#reports#activity", - "organization": { - "domain": "elastic.com" - } - }, - "input": { - "type": "httpjson" - }, - "organization": { - "id": "1" - }, - "related": { - "ip": [ - "98.235.162.24" - ], - "user": [ - "foo" - ] - }, - "source": { - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, Inc." - } - }, - "ip": "98.235.162.24", - "user": { - "domain": "bar.com", - "email": "foo@bar.com", - "id": "1", - "name": "foo" - } - }, - "tags": [ - "forwarded", - "google-workspace-user-accounts" - ], - "user": { - "domain": "bar.com", - "id": "1", - "name": "foo" - } -} \ No newline at end of file diff --git a/packages/google_workspace/1.5.0/docs/README.md b/packages/google_workspace/1.5.0/docs/README.md deleted file mode 100755 index acfa620a71..0000000000 --- a/packages/google_workspace/1.5.0/docs/README.md +++ /dev/null @@ -1,1500 +0,0 @@ -# Google Workspace Integration - -The Google Workspace integration collects and parses data from the different Google Workspace audit reports APIs. - -## Compatibility - -It is compatible with a subset of applications under the [Google Reports API v1](https://developers.google.com/admin-sdk/reports/v1/get-start/getting-started). As of today it supports: - -| Google Workspace Service | Description | -|---|---| -| [SAML](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml) [help](https://support.google.com/a/answer/7007375?hl=en&ref_topic=9027054) | View users’ successful and failed sign-ins to SAML applications. | -| [User Accounts](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts) [help](https://support.google.com/a/answer/9022875?hl=en&ref_topic=9027054) | Audit actions carried out by users on their own accounts including password changes, account recovery details and 2-Step Verification enrollment. | -| [Login](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login) [help](https://support.google.com/a/answer/4580120?hl=en&ref_topic=9027054) | Track user sign-in activity to your domain. | -| [Admin](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings) [help](https://support.google.com/a/answer/4579579?hl=en&ref_topic=9027054) | View administrator activity performed within the Google Admin console. | -| [Drive](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive) [help](https://support.google.com/a/answer/4579696?hl=en&ref_topic=9027054) | Record user activity within Google Drive including content creation in such as Google Docs, as well as content created elsewhere that your users upload to Drive such as PDFs and Microsoft Word files. | -| [Groups](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups) [help](https://support.google.com/a/answer/6270454?hl=en&ref_topic=9027054) | Track changes to groups, group memberships and group messages. | - -## Requirements - -In order to ingest data from the Google Reports API you must: - -- Have an *administrator account*. -- [Set up a ServiceAccount](https://support.google.com/workspacemigrate/answer/9222993?hl=en) using the administrator account. -- [Set up access to the Admin SDK API](https://support.google.com/workspacemigrate/answer/9222865?hl=en) for the ServiceAccount. -- [Enable Domain-Wide Delegation](https://developers.google.com/admin-sdk/reports/v1/guides/delegation) for your ServiceAccount. - -This module will make use of the following *oauth2 scope*: - -- `https://www.googleapis.com/auth/admin.reports.audit.readonly` - -Once you have downloaded your service account credentials as a JSON file, you are ready to set up your integration. - -## Logs - -### Google Workspace Reports ECS fields - -This is a list of Google Workspace Reports fields that are mapped to ECS that are common to al data sets. - -| Google Workspace Reports | ECS Fields | -|------------------------------|---------------------------------------------------------------| -| `items[].id.time` | `@timestamp` | -| `items[].id.uniqueQualifier` | `event.id` | -| `items[].id.applicationName` | `event.provider` | -| `items[].events[].name` | `event.action` | -| `items[].customerId` | `organization.id` | -| `items[].ipAddress` | `source.ip`, `related.ip`, `source.as.*`, `source.geo.*` | -| `items[].actor.email` | `source.user.email`, `source.user.name`, `source.user.domain` | -| `items[].actor.profileId` | `source.user.id` | - -### SAML - -This is the `saml` dataset. - -An example event for `saml` looks as following: - -```json -{ - "@timestamp": "2022-02-02T12:27:23.000Z", - "agent": { - "ephemeral_id": "4ffa592e-b9c1-4a7e-8c91-78817747d073", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "google_workspace.saml", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "login_failure", - "agent_id_status": "verified", - "category": [ - "authentication", - "session" - ], - "created": "2022-02-03T12:27:23.007Z", - "dataset": "google_workspace.saml", - "id": "1", - "ingested": "2022-02-03T12:27:24Z", - "outcome": "failure", - "provider": "saml", - "type": [ - "start" - ] - }, - "google_workspace": { - "actor": { - "type": "USER" - }, - "event": { - "type": "login" - }, - "kind": "admin#reports#activity", - "organization": { - "domain": "elastic.com" - }, - "saml": { - "application_name": "app", - "failure_type": "failure_app_not_configured_for_user", - "initiated_by": "idp", - "orgunit_path": "ounit", - "second_level_status_code": "SUCCESS_URI", - "status_code": "SUCCESS_URI" - } - }, - "input": { - "type": "httpjson" - }, - "organization": { - "id": "1" - }, - "related": { - "ip": [ - "98.235.162.24" - ], - "user": [ - "foo" - ] - }, - "source": { - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, Inc." - } - }, - "ip": "98.235.162.24", - "user": { - "domain": "bar.com", - "email": "foo@bar.com", - "id": "1", - "name": "foo" - } - }, - "tags": [ - "forwarded", - "google-workspace-saml" - ], - "user": { - "domain": "bar.com", - "id": "1", - "name": "foo" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| google_workspace.actor.key | Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. | keyword | -| google_workspace.actor.type | The type of actor. Values can be: \*USER\*: Another user in the same domain. \*EXTERNAL_USER\*: A user outside the domain. \*KEY\*: A non-human actor. | keyword | -| google_workspace.event.type | The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | -| google_workspace.kind | The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | -| google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | -| google_workspace.saml.application_name | Saml SP application name. | keyword | -| google_workspace.saml.failure_type | Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. | keyword | -| google_workspace.saml.initiated_by | Requester of SAML authentication. | keyword | -| google_workspace.saml.orgunit_path | User orgunit. | keyword | -| google_workspace.saml.second_level_status_code | SAML second level status code. | keyword | -| google_workspace.saml.status_code | SAML status code. | keyword | -| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| organization.id | Unique identifier for the organization. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.email | User email address. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.email | User email address. | keyword | -| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | - - -### User Accounts - -This is the `user_accounts` dataset. - -An example event for `user_accounts` looks as following: - -```json -{ - "@timestamp": "2022-02-02T12:28:15.000Z", - "agent": { - "ephemeral_id": "3242bd5f-5862-4205-97eb-6aaac7d3f3d5", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "google_workspace.user_accounts", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "2sv_disable", - "agent_id_status": "verified", - "category": [ - "iam" - ], - "created": "2022-02-03T12:28:15.402Z", - "dataset": "google_workspace.user_accounts", - "id": "1", - "ingested": "2022-02-03T12:28:16Z", - "provider": "user_accounts", - "type": [ - "change", - "user" - ] - }, - "google_workspace": { - "actor": { - "type": "USER" - }, - "event": { - "type": "2sv_change" - }, - "kind": "admin#reports#activity", - "organization": { - "domain": "elastic.com" - } - }, - "input": { - "type": "httpjson" - }, - "organization": { - "id": "1" - }, - "related": { - "ip": [ - "98.235.162.24" - ], - "user": [ - "foo" - ] - }, - "source": { - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, Inc." - } - }, - "ip": "98.235.162.24", - "user": { - "domain": "bar.com", - "email": "foo@bar.com", - "id": "1", - "name": "foo" - } - }, - "tags": [ - "forwarded", - "google-workspace-user-accounts" - ], - "user": { - "domain": "bar.com", - "id": "1", - "name": "foo" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| google_workspace.actor.key | Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. | keyword | -| google_workspace.actor.type | The type of actor. Values can be: \*USER\*: Another user in the same domain. \*EXTERNAL_USER\*: A user outside the domain. \*KEY\*: A non-human actor. | keyword | -| google_workspace.event.type | The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | -| google_workspace.kind | The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | -| google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | -| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| organization.id | Unique identifier for the organization. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.email | User email address. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.email | User email address. | keyword | -| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | - - -### Login Accounts - -This is the `login` dataset. - -An example event for `login` looks as following: - -```json -{ - "@timestamp": "2022-02-02T12:26:31.000Z", - "agent": { - "ephemeral_id": "0b8db1d7-2f2e-4e9d-84d8-f3b4409101ef", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "google_workspace.login", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "account_disabled_password_leak", - "agent_id_status": "verified", - "category": [ - "authentication" - ], - "created": "2022-02-03T12:26:31.037Z", - "dataset": "google_workspace.login", - "id": "1", - "ingested": "2022-02-03T12:26:32Z", - "provider": "login", - "type": [ - "user", - "change" - ] - }, - "google_workspace": { - "actor": { - "type": "USER" - }, - "event": { - "type": "account_warning" - }, - "kind": "admin#reports#activity", - "login": { - "affected_email_address": "foo@elastic.co" - }, - "organization": { - "domain": "elastic.com" - } - }, - "input": { - "type": "httpjson" - }, - "organization": { - "id": "1" - }, - "related": { - "ip": [ - "98.235.162.24" - ], - "user": [ - "foo", - "foo" - ] - }, - "source": { - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, Inc." - } - }, - "ip": "98.235.162.24", - "user": { - "domain": "bar.com", - "email": "foo@bar.com", - "id": "1", - "name": "foo" - } - }, - "tags": [ - "forwarded", - "google-workspace-login" - ], - "user": { - "domain": "bar.com", - "id": "1", - "name": "foo", - "target": { - "domain": "elastic.co", - "name": "foo" - } - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| google_workspace.actor.key | Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. | keyword | -| google_workspace.actor.type | The type of actor. Values can be: \*USER\*: Another user in the same domain. \*EXTERNAL_USER\*: A user outside the domain. \*KEY\*: A non-human actor. | keyword | -| google_workspace.event.type | The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | -| google_workspace.kind | The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | -| google_workspace.login.affected_email_address | | keyword | -| google_workspace.login.challenge_method | Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | keyword | -| google_workspace.login.challenge_status | Login challenge status. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | keyword | -| google_workspace.login.failure_type | Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | keyword | -| google_workspace.login.is_second_factor | | boolean | -| google_workspace.login.is_suspicious | | boolean | -| google_workspace.login.timestamp | UNIX timestmap of login in microseconds. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | long | -| google_workspace.login.type | Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | keyword | -| google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | -| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| organization.id | Unique identifier for the organization. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.email | User email address. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.email | User email address. | keyword | -| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | - - -### Admin - -This is the `admin` dataset. - -An example event for `admin` looks as following: - -```json -{ - "@timestamp": "2022-02-02T12:23:57.000Z", - "agent": { - "ephemeral_id": "68cf8bd1-0ff1-4c77-a4e7-64ab24882a9c", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "google_workspace.admin", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "CHANGE_APPLICATION_SETTING", - "agent_id_status": "verified", - "category": [ - "iam", - "configuration" - ], - "created": "2022-02-03T12:23:57.797Z", - "dataset": "google_workspace.admin", - "id": "1", - "ingested": "2022-02-03T12:23:58Z", - "provider": "admin", - "type": [ - "change" - ] - }, - "google_workspace": { - "actor": { - "type": "USER" - }, - "admin": { - "application": { - "edition": "basic", - "name": "drive" - }, - "group": { - "email": "group@example.com" - }, - "new_value": "new", - "old_value": "old", - "org_unit": { - "name": "org" - }, - "setting": { - "name": "setting" - } - }, - "event": { - "type": "APPLICATION_SETTINGS" - }, - "kind": "admin#reports#activity", - "organization": { - "domain": "elastic.com" - } - }, - "group": { - "domain": "example.com", - "name": "group" - }, - "input": { - "type": "httpjson" - }, - "organization": { - "id": "1" - }, - "related": { - "ip": [ - "98.235.162.24" - ], - "user": [ - "foo" - ] - }, - "source": { - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, Inc." - } - }, - "ip": "98.235.162.24", - "user": { - "domain": "bar.com", - "email": "foo@bar.com", - "id": "1", - "name": "foo" - } - }, - "tags": [ - "forwarded", - "google-workspace-admin" - ], - "user": { - "domain": "bar.com", - "id": "1", - "name": "foo", - "target": { - "group": { - "domain": "example.com", - "name": "group" - } - } - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| google_workspace.actor.key | Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. | keyword | -| google_workspace.actor.type | The type of actor. Values can be: \*USER\*: Another user in the same domain. \*EXTERNAL_USER\*: A user outside the domain. \*KEY\*: A non-human actor. | keyword | -| google_workspace.admin.alert.name | The alert name. | keyword | -| google_workspace.admin.api.client.name | The API client name. | keyword | -| google_workspace.admin.api.scopes | The API scopes. | keyword | -| google_workspace.admin.application.asp_id | The application specific password ID. | keyword | -| google_workspace.admin.application.edition | The Google Workspace edition. | keyword | -| google_workspace.admin.application.enabled | The enabled application. | keyword | -| google_workspace.admin.application.id | The application ID. | keyword | -| google_workspace.admin.application.licences_order_number | Order number used to redeem licenses. | keyword | -| google_workspace.admin.application.licences_purchased | Number of licences purchased. | long | -| google_workspace.admin.application.name | The application's name. | keyword | -| google_workspace.admin.application.package_id | The mobile application package ID. | keyword | -| google_workspace.admin.bulk_upload.failed | Number of failed records in bulk upload operation. | long | -| google_workspace.admin.bulk_upload.total | Number of total records in bulk upload operation. | long | -| google_workspace.admin.chrome_licenses.allowed | Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings | keyword | -| google_workspace.admin.chrome_licenses.enabled | Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings | keyword | -| google_workspace.admin.chrome_os.session_type | Chrome OS session type. | keyword | -| google_workspace.admin.device.command_details | Command details. | keyword | -| google_workspace.admin.device.id | | keyword | -| google_workspace.admin.device.serial_number | Device serial number. | keyword | -| google_workspace.admin.device.type | Device type. | keyword | -| google_workspace.admin.distribution.entity.name | The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings | keyword | -| google_workspace.admin.distribution.entity.type | The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings | keyword | -| google_workspace.admin.domain.alias | The domain alias. | keyword | -| google_workspace.admin.domain.name | The primary domain name. | keyword | -| google_workspace.admin.domain.secondary_name | The secondary domain name. | keyword | -| google_workspace.admin.email.log_search_filter.end_date | The log search filter's ending date. | date | -| google_workspace.admin.email.log_search_filter.message_id | The log search filter's email message ID. | keyword | -| google_workspace.admin.email.log_search_filter.recipient.ip | The log search filter's email recipient's IP address. | ip | -| google_workspace.admin.email.log_search_filter.recipient.value | The log search filter's email recipient. | keyword | -| google_workspace.admin.email.log_search_filter.sender.ip | The log search filter's email sender's IP address. | ip | -| google_workspace.admin.email.log_search_filter.sender.value | The log search filter's email sender. | keyword | -| google_workspace.admin.email.log_search_filter.start_date | The log search filter's start date. | date | -| google_workspace.admin.email.quarantine_name | The name of the quarantine. | keyword | -| google_workspace.admin.email_dump.include_deleted | Indicates if deleted emails are included in the export. | boolean | -| google_workspace.admin.email_dump.package_content | The contents of the mailbox package. | keyword | -| google_workspace.admin.email_dump.query | The search query used for the dump. | keyword | -| google_workspace.admin.email_monitor.dest_email | The destination address of the email monitor. | keyword | -| google_workspace.admin.email_monitor.level.chat | The chat email monitor level. | keyword | -| google_workspace.admin.email_monitor.level.draft | The draft email monitor level. | keyword | -| google_workspace.admin.email_monitor.level.incoming | The incoming email monitor level. | keyword | -| google_workspace.admin.email_monitor.level.outgoing | The outgoing email monitor level. | keyword | -| google_workspace.admin.field | The name of the field. | keyword | -| google_workspace.admin.gateway.name | Gateway name. Present on some chat settings. | keyword | -| google_workspace.admin.group.allowed_list | Names of allow-listed groups. | keyword | -| google_workspace.admin.group.email | The group's primary email address. | keyword | -| google_workspace.admin.group.priorities | Group priorities. | keyword | -| google_workspace.admin.info_type | This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings | keyword | -| google_workspace.admin.managed_configuration | The name of the managed configuration. | keyword | -| google_workspace.admin.mdm.token | The MDM vendor enrollment token. | keyword | -| google_workspace.admin.mdm.vendor | The MDM vendor's name. | keyword | -| google_workspace.admin.mobile.action.id | The mobile device action's ID. | keyword | -| google_workspace.admin.mobile.action.type | The mobile device action's type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings | keyword | -| google_workspace.admin.mobile.certificate.name | The mobile certificate common name. | keyword | -| google_workspace.admin.mobile.company_owned_devices | The number of devices a company owns. | long | -| google_workspace.admin.new_value | The new value for the setting. | keyword | -| google_workspace.admin.non_featured_services_selection | Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED | keyword | -| google_workspace.admin.oauth2.application.id | OAuth2 application ID. | keyword | -| google_workspace.admin.oauth2.application.name | OAuth2 application name. | keyword | -| google_workspace.admin.oauth2.application.type | OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings | keyword | -| google_workspace.admin.oauth2.service.name | OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings | keyword | -| google_workspace.admin.old_value | The old value for the setting. | keyword | -| google_workspace.admin.org_unit.full | The org unit full path including the root org unit name. | keyword | -| google_workspace.admin.org_unit.name | The organizational unit name. | keyword | -| google_workspace.admin.print_server.name | The name of the print server. | keyword | -| google_workspace.admin.printer.name | The name of the printer. | keyword | -| google_workspace.admin.privilege.name | Privilege name. | keyword | -| google_workspace.admin.product.name | The product name. | keyword | -| google_workspace.admin.product.sku | The product SKU. | keyword | -| google_workspace.admin.request.id | The request ID. | keyword | -| google_workspace.admin.resource.id | The name of the resource identifier. | keyword | -| google_workspace.admin.role.id | Unique identifier for this role privilege. | keyword | -| google_workspace.admin.role.name | The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings | keyword | -| google_workspace.admin.rule.name | The rule name. | keyword | -| google_workspace.admin.service.name | The service name. | keyword | -| google_workspace.admin.setting.description | The setting name. | keyword | -| google_workspace.admin.setting.name | The setting name. | keyword | -| google_workspace.admin.url.name | The website name. | keyword | -| google_workspace.admin.user.birthdate | The user's birth date. | date | -| google_workspace.admin.user.email | The user's primary email address. | keyword | -| google_workspace.admin.user.nickname | The user's nickname. | keyword | -| google_workspace.admin.user_defined_setting.name | The name of the user-defined setting. | keyword | -| google_workspace.admin.verification_method | Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings | keyword | -| google_workspace.event.type | The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | -| google_workspace.kind | The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | -| google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | -| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.name | Name given by operators to sections of their network. | keyword | -| organization.id | Unique identifier for the organization. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.email | User email address. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| url.username | Username of the request. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.email | User email address. | keyword | -| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | - - -### Drive - -This is the `drive` dataset. - -An example event for `drive` looks as following: - -```json -{ - "@timestamp": "2022-02-02T12:24:50.000Z", - "agent": { - "ephemeral_id": "3160d231-025f-4e24-9581-72458c960fca", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "google_workspace.drive", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "add_to_folder", - "agent_id_status": "verified", - "category": [ - "file" - ], - "created": "2022-02-03T12:24:50.101Z", - "dataset": "google_workspace.drive", - "id": "1", - "ingested": "2022-02-03T12:24:51Z", - "provider": "drive", - "type": [ - "change" - ] - }, - "file": { - "name": "document title", - "owner": "owner", - "type": "file" - }, - "google_workspace": { - "actor": { - "type": "USER" - }, - "drive": { - "billable": false, - "destination_folder_id": "1234", - "destination_folder_title": "folder title", - "file": { - "id": "1234", - "owner": { - "email": "owner@example.com", - "is_shared_drive": false - }, - "type": "document" - }, - "originating_app_id": "1234", - "primary_event": true, - "visibility": "people_with_link" - }, - "event": { - "type": "access" - }, - "kind": "admin#reports#activity", - "organization": { - "domain": "elastic.com" - } - }, - "input": { - "type": "httpjson" - }, - "organization": { - "id": "1" - }, - "related": { - "ip": [ - "98.235.162.24" - ], - "user": [ - "owner", - "foo" - ] - }, - "source": { - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, Inc." - } - }, - "ip": "98.235.162.24", - "user": { - "domain": "bar.com", - "email": "foo@bar.com", - "id": "1", - "name": "foo" - } - }, - "tags": [ - "forwarded", - "google-workspace-drive" - ], - "user": { - "domain": "bar.com", - "id": "1", - "name": "foo" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.owner | File owner's username. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.type | File type (file, dir, or symlink). | keyword | -| google_workspace.actor.key | Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. | keyword | -| google_workspace.actor.type | The type of actor. Values can be: \*USER\*: Another user in the same domain. \*EXTERNAL_USER\*: A user outside the domain. \*KEY\*: A non-human actor. | keyword | -| google_workspace.drive.added_role | Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword | -| google_workspace.drive.billable | Whether this activity is billable. | boolean | -| google_workspace.drive.destination_folder_id | | keyword | -| google_workspace.drive.destination_folder_title | | keyword | -| google_workspace.drive.file.id | | keyword | -| google_workspace.drive.file.owner.email | | keyword | -| google_workspace.drive.file.owner.is_shared_drive | Boolean flag denoting whether owner is a shared drive. | boolean | -| google_workspace.drive.file.type | Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword | -| google_workspace.drive.membership_change_type | Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword | -| google_workspace.drive.new_value | When a setting or property of the file changes, the new value for it will appear here. | keyword | -| google_workspace.drive.old_value | When a setting or property of the file changes, the old value for it will appear here. | keyword | -| google_workspace.drive.old_visibility | When visibility changes, this holds the old value. | keyword | -| google_workspace.drive.originating_app_id | The Google Cloud Project ID of the application that performed the action. | keyword | -| google_workspace.drive.primary_event | Whether this is a primary event. A single user action in Drive may generate several events. | boolean | -| google_workspace.drive.removed_role | Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword | -| google_workspace.drive.shared_drive_id | The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. | keyword | -| google_workspace.drive.shared_drive_settings_change_type | Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword | -| google_workspace.drive.sheets_import_range_recipient_doc | Doc ID of the recipient of a sheets import range. | keyword | -| google_workspace.drive.source_folder_id | | keyword | -| google_workspace.drive.source_folder_title | | keyword | -| google_workspace.drive.target | Target user or group. | keyword | -| google_workspace.drive.target_domain | The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. | keyword | -| google_workspace.drive.visibility | Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword | -| google_workspace.drive.visibility_change | When visibility changes, this holds the new overall visibility of the file. | keyword | -| google_workspace.event.type | The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | -| google_workspace.kind | The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | -| google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | -| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| organization.id | Unique identifier for the organization. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.email | User email address. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.email | User email address. | keyword | -| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | - - -### Groups - -This is the `groups` dataset. - -An example event for `groups` looks as following: - -```json -{ - "@timestamp": "2022-02-02T12:25:39.000Z", - "agent": { - "ephemeral_id": "a9599f5d-49a5-4339-9e5e-484f19370712", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "google_workspace.groups", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "change_acl_permission", - "agent_id_status": "verified", - "category": [ - "iam" - ], - "created": "2022-02-03T12:25:39.375Z", - "dataset": "google_workspace.groups", - "id": "1", - "ingested": "2022-02-03T12:25:40Z", - "provider": "groups", - "type": [ - "group", - "change" - ] - }, - "google_workspace": { - "actor": { - "type": "USER" - }, - "event": { - "type": "acl_change" - }, - "groups": { - "acl_permission": "can_add_members", - "email": "group@example.com", - "new_value": [ - "managers", - "members" - ], - "old_value": [ - "managers" - ] - }, - "kind": "admin#reports#activity", - "organization": { - "domain": "elastic.com" - } - }, - "group": { - "domain": "example.com", - "name": "group" - }, - "input": { - "type": "httpjson" - }, - "organization": { - "id": "1" - }, - "related": { - "ip": [ - "98.235.162.24" - ], - "user": [ - "foo" - ] - }, - "source": { - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, Inc." - } - }, - "ip": "98.235.162.24", - "user": { - "domain": "bar.com", - "email": "foo@bar.com", - "id": "1", - "name": "foo" - } - }, - "tags": [ - "forwarded", - "google-workspace-groups" - ], - "user": { - "domain": "bar.com", - "id": "1", - "name": "foo", - "target": { - "group": { - "domain": "example.com", - "name": "group" - } - } - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| google_workspace.actor.key | Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. | keyword | -| google_workspace.actor.type | The type of actor. Values can be: \*USER\*: Another user in the same domain. \*EXTERNAL_USER\*: A user outside the domain. \*KEY\*: A non-human actor. | keyword | -| google_workspace.event.type | The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | -| google_workspace.groups.acl_permission | Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | keyword | -| google_workspace.groups.email | Group email. | keyword | -| google_workspace.groups.member.email | Member email. | keyword | -| google_workspace.groups.member.role | Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | keyword | -| google_workspace.groups.message.id | SMTP message Id of an email message. Present for moderation events. | keyword | -| google_workspace.groups.message.moderation_action | Message moderation action. Possible values are `approved` and `rejected`. | keyword | -| google_workspace.groups.new_value | New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | keyword | -| google_workspace.groups.old_value | Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | keyword | -| google_workspace.groups.setting | Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | keyword | -| google_workspace.groups.status | A status describing the output of an operation. Possible values are `failed` and `succeeded`. | keyword | -| google_workspace.groups.value | Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | keyword | -| google_workspace.kind | The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | -| google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | -| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| organization.id | Unique identifier for the organization. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.email | User email address. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.email | User email address. | keyword | -| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | - diff --git a/packages/google_workspace/1.5.0/img/logo.svg b/packages/google_workspace/1.5.0/img/logo.svg deleted file mode 100755 index c06982fbad..0000000000 --- a/packages/google_workspace/1.5.0/img/logo.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/google_workspace/1.5.0/manifest.yml b/packages/google_workspace/1.5.0/manifest.yml deleted file mode 100755 index 77b1ab10bc..0000000000 --- a/packages/google_workspace/1.5.0/manifest.yml +++ /dev/null @@ -1,92 +0,0 @@ -name: google_workspace -title: Google Workspace Audit Reports -version: 1.5.0 -release: ga -description: Collect audit reports from Google Workspaces with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -icons: - - src: /img/logo.svg - title: logo Google - size: 32x32 - type: image/svg+xml -categories: - - security -conditions: - kibana.version: ^8.4.0 -policy_templates: - - name: google_workspace - title: Google Workspace logs - description: Collect logs from Google Workspace APIs - inputs: - - type: httpjson - vars: - - name: jwt_file - type: text - title: Jwt File - description: Specifies the path to the JWT credentials file. - multi: false - required: false - show_user: true - - name: jwt_json - type: text - title: Jwt JSON - description: | - Raw contents of the JWT file. Useful when hosting - a file along with the agent is not possible. - multi: false - required: false - show_user: true - - name: delegated_account - type: text - title: Delegated Account - description: Email of the admin user used to access the API. - multi: false - required: true - show_user: true - - name: initial_interval - type: text - title: Initial Interval - multi: false - required: true - show_user: true - default: 24h - - name: http_client_timeout - type: text - title: Http Client Timeout - description: Duration of the time limit on HTTP requests. - multi: false - required: true - show_user: true - default: 60s - - name: user_key - type: text - title: User Key - description: Specifies the user key to fetch reports from. - multi: false - required: true - show_user: true - default: all - - name: interval - type: text - title: Interval - description: > - Duration between requests to the API. Google Workspace defaults to a 2 hour polling interval because Google reports can go from some minutes up to 3 days of delay. For more details on this, you can read more at https://support.google.com/a/answer/7061566. - - multi: false - required: true - show_user: true - default: 2h - - name: api_host - type: text - title: API Host. - description: The Google Workspace API Host. The path will be automatically set. - multi: false - required: true - show_user: false - default: https://www.googleapis.com - title: "Collect admin, drive, groups, login, saml and user accounts logs (input: httpjson)" - description: "Collecting admin, drive, groups, login, saml and user accounts logs (input: httpjson)" -owner: - github: elastic/security-external-integrations diff --git a/packages/keycloak/1.3.1/changelog.yml b/packages/keycloak/1.3.1/changelog.yml deleted file mode 100755 index 5017744458..0000000000 --- a/packages/keycloak/1.3.1/changelog.yml +++ /dev/null @@ -1,31 +0,0 @@ -# newer versions go on top -- version: "1.3.1" - changes: - - description: Add link to keycloak documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3136 -- version: "1.3.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.2.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.2.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2419 -- version: "1.1.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2273 -- version: "1.0.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/1913 diff --git a/packages/keycloak/1.3.1/data_stream/log/agent/stream/filestream.yml.hbs b/packages/keycloak/1.3.1/data_stream/log/agent/stream/filestream.yml.hbs deleted file mode 100755 index bc2ae91604..0000000000 --- a/packages/keycloak/1.3.1/data_stream/log/agent/stream/filestream.yml.hbs +++ /dev/null @@ -1,25 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -prospector.scanner.exclude_files: ['\.gz$'] -processors: -{{#if processors}} -{{processors}} -{{/if}} -- add_locale: ~ -- add_fields: - target: _tmp - fields: - tz_offset: {{tz_offset}} - only_user_events: {{only_user_events}} \ No newline at end of file diff --git a/packages/keycloak/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/keycloak/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index b1005cbec6..0000000000 --- a/packages/keycloak/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,73 +0,0 @@ ---- -description: Pipeline for parsing keycloak logs -processors: -- set: - field: ecs.version - value: '8.2.0' -- rename: - field: message - target_field: event.original -- grok: - field: event.original - patterns: - - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{LOGLEVEL:log.level}%{SPACE}\\[%{JAVACLASS:log.logger}\\] \\(%{DATA:process.thread.name}\\) %{GREEDYDATA:message}" -- set: - field: event.timezone - value: "{{_tmp.tz_offset}}" - if: ctx._tmp?.tz_offset != null && ctx._tmp?.tz_offset != 'local' -- date: - field: _tmp.timestamp - target_field: '@timestamp' - timezone: "{{ event.timezone }}" - formats: - - yyyy-MM-dd HH:mm:ss,SSS - if: ctx.event?.timezone != null -- date: - field: _tmp.timestamp - target_field: '@timestamp' - formats: - - yyyy-MM-dd HH:mm:ss,SSS - if: ctx.event?.timezone == null -- pipeline: - name: '{{ IngestPipeline "events" }}' - if: "ctx.log?.logger == 'org.keycloak.events'" -- drop: - if: "ctx._tmp?.only_user_events && ctx.log?.logger != 'org.keycloak.events'" -- remove: - field: - - _tmp - ignore_missing: true -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/keycloak/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/events.yml b/packages/keycloak/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/events.yml deleted file mode 100755 index d5f85a41cb..0000000000 --- a/packages/keycloak/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/events.yml +++ /dev/null @@ -1,221 +0,0 @@ ---- -description: Pipeline for parsing keycloak http logs -processors: -- kv: - field: message - target_field: json - field_split: ", " - value_split: "=" - ignore_missing: true -- rename: - field: json.type - target_field: keycloak.login.type - ignore_missing: true -- rename: - field: json.operationType - target_field: keycloak.admin.operation - ignore_missing: true -- rename: - field: json.resourceType - target_field: keycloak.admin.resource.type - ignore_missing: true -- rename: - field: json.resourcePath - target_field: keycloak.admin.resource.path - ignore_missing: true -- set: - field: keycloak.event_type - value: login - if: ctx.keycloak?.login != null -- set: - field: keycloak.event_type - value: admin - if: ctx.keycloak?.admin != null -- set: - field: event.code - value: "{{{keycloak.admin.operation}}}-{{{keycloak.admin.resource.type}}}" - if: ctx.keycloak?.admin != null -- set: - field: event.action - copy_from: event.code - ignore_empty_value: true - if: ctx.keycloak?.admin != null -- rename: - field: json.error - target_field: event.code - ignore_missing: true - if: ctx.keycloak?.login != null && ctx.event?.code == null -- set: - field: event.action - copy_from: keycloak.login.type - ignore_empty_value: true -- rename: - field: json.realmId - target_field: keycloak.realm.id - ignore_missing: true -- rename: - field: json.clientId - target_field: keycloak.client.id - ignore_missing: true - if: ctx.json?.clientId != "null" -- rename: - field: json.userId - target_field: user.id - ignore_missing: true - if: ctx.json?.userId != "null" -- rename: - field: json.ipAddress - target_field: source.address - ignore_missing: true -- convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - ignore_missing: true -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: json.redirect_uri - target_field: keycloak.login.redirect_uri - ignore_missing: true -- uri_parts: - field: keycloak.login.redirect_uri - ignore_failure: true -- rename: - field: json.auth_method - target_field: keycloak.login.auth_method - ignore_missing: true -- rename: - field: json.auth_type - target_field: keycloak.login.auth_type - ignore_missing: true -- rename: - field: json.code_id - target_field: keycloak.login.code_id - ignore_missing: true -- rename: - field: json.username - target_field: user.name - ignore_missing: true -- rename: - field: json.authSessionParentId - target_field: keycloak.login.auth_session_parent_id - ignore_missing: true -- rename: - field: json.authSessionTabId - target_field: keycloak.login.auth_session_tab_id - ignore_missing: true -- grok: - field: keycloak.admin.resource.path - patterns: - - 'users/%{UUID:user.target.id}' - - 'groups/%{UUID:group.id}' - ignore_failure: true - ignore_missing: true -- set: - field: event.kind - value: event -- append: - field: event.category - value: - - authentication - if: ctx.keycloak?.login != null -- append: - field: event.type - value: - - info -- append: - field: event.type - value: - - denied - if: ctx.keycloak?.login?.type == 'LOGIN_ERROR' -- append: - field: event.type - value: - - start - - allowed - if: ctx.keycloak?.login?.type == 'LOGIN' -- append: - field: event.type - value: - - end - if: ctx.keycloak?.login?.type == 'LOGOUT' -- append: - field: event.category - value: - - iam - if: ctx.keycloak?.admin != null -- append: - field: event.type - value: - - admin - if: ctx.keycloak?.admin != null -- append: - field: event.type - value: - - creation - if: ctx.keycloak?.admin?.operation == "CREATE" -- append: - field: event.type - value: - - change - if: ctx.keycloak?.admin?.operation == "UPDATE" -- append: - field: event.type - value: - - deletion - if: ctx.keycloak?.admin?.operation == "DELETE" -- append: - field: event.type - value: - - group - if: ctx.keycloak?.admin?.resource == "GROUP" -- append: - field: event.type - value: - - user - if: ctx.keycloak?.admin?.resource == "USER" -- append: - field: related.ip - value: "{{source.ip}}" - if: ctx.source?.ip != null -- append: - field: related.user - value: "{{user.id}}" - if: ctx.user?.id != null -- append: - field: related.user - value: "{{user.target.id}}" - if: ctx.user?.target?.id != null -- append: - field: related.hosts - value: "{{url.domain}}" - if: ctx.url?.domain != null -- remove: - field: - - message - - json - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/keycloak/1.3.1/data_stream/log/fields/agent.yml b/packages/keycloak/1.3.1/data_stream/log/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/keycloak/1.3.1/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/keycloak/1.3.1/data_stream/log/fields/base-fields.yml b/packages/keycloak/1.3.1/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 5efd7e55ae..0000000000 --- a/packages/keycloak/1.3.1/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: keycloak -- name: event.dataset - type: constant_keyword - description: Event dataset - value: keycloak.log -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/keycloak/1.3.1/data_stream/log/fields/beats.yml b/packages/keycloak/1.3.1/data_stream/log/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/keycloak/1.3.1/data_stream/log/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/keycloak/1.3.1/data_stream/log/fields/ecs.yml b/packages/keycloak/1.3.1/data_stream/log/fields/ecs.yml deleted file mode 100755 index 440aa549bc..0000000000 --- a/packages/keycloak/1.3.1/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,189 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: Thread name. - name: process.thread.name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Unique identifier of the user. - name: user.target.id - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- name: url.scheme diff --git a/packages/keycloak/1.3.1/data_stream/log/fields/fields.yml b/packages/keycloak/1.3.1/data_stream/log/fields/fields.yml deleted file mode 100755 index 637184d34d..0000000000 --- a/packages/keycloak/1.3.1/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,82 +0,0 @@ -- name: keycloak - type: group - description: > - Fields for Keycloak Event Logs - - fields: - - name: client.id - type: keyword - description: > - ID of the Keycloak client - - - name: realm.id - type: keyword - description: > - Keycloak Realm ID - - - name: event_type - type: keyword - description: > - Keycloak event type; Login or Admin - -- name: keycloak.admin - type: group - description: > - Fields for Keycloak Admin Event Logs - - fields: - - name: operation - type: keyword - description: > - Keycloak admin operation; Add, Update, Delete - - - name: resource.type - type: keyword - description: > - Type of keycloak resource being acted upon; Group, User, Client, Scope... - - - name: resource.path - type: keyword - description: > - Path to affected resource - -- name: keycloak.login - type: group - description: > - Fields for Keycloak Login Event Logs - - fields: - - name: auth_method - type: keyword - description: > - Keycloak authentication method (SAML or OpenID Connect) - - - name: auth_session_parent_id - type: keyword - description: > - Parent session ID - - - name: auth_session_tab_id - type: keyword - description: > - Session Tab ID - - - name: auth_type - type: keyword - description: > - OpenID Connect authentication type (code, implicit...) - - - name: code_id - type: keyword - description: > - OpenID Connect Code ID - - - name: redirect_uri - type: keyword - description: > - Keycloak redirect URL - - - name: type - type: keyword - description: >- - Event Type diff --git a/packages/keycloak/1.3.1/data_stream/log/manifest.yml b/packages/keycloak/1.3.1/data_stream/log/manifest.yml deleted file mode 100755 index dc505ba678..0000000000 --- a/packages/keycloak/1.3.1/data_stream/log/manifest.yml +++ /dev/null @@ -1,58 +0,0 @@ -type: logs -title: Keycloak -streams: - - input: filestream - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /opt/jboss/standalone/logs/*.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - keycloak-log - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: tz_offset - type: text - title: Timezone Offset - multi: false - required: true - show_user: true - default: local - description: >- - By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. - - name: only_user_events - required: true - show_user: true - title: Only ingest Keycloak user driven events; logins, config changes... - description: Ignores background Wildfly and Jboss log messages - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: "filestream.yml.hbs" - title: Keycloak logs - description: Collect Keycloak logs via log files diff --git a/packages/keycloak/1.3.1/data_stream/log/sample_event.json b/packages/keycloak/1.3.1/data_stream/log/sample_event.json deleted file mode 100755 index c942b9ceb6..0000000000 --- a/packages/keycloak/1.3.1/data_stream/log/sample_event.json +++ /dev/null @@ -1,73 +0,0 @@ -{ - "@timestamp": "2021-10-22T21:01:42.667-05:00", - "agent": { - "ephemeral_id": "3fa6009c-adab-4e39-9c43-05f16ba9ef47", - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "keycloak.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "agent_id_status": "verified", - "dataset": "keycloak.log", - "ingested": "2022-01-01T23:08:55Z", - "original": "2021-10-22 21:01:42,667 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 64) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication", - "timezone": "-05:00" - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "id": "4ccba669f0df47fa3f57a9e4169ae7f1", - "ip": [ - "172.18.0.5" - ], - "mac": [ - "02:42:ac:12:00:05" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.11.0-43-generic", - "name": "CentOS Linux", - "platform": "centos", - "type": "linux", - "version": "7 (Core)" - } - }, - "input": { - "type": "filestream" - }, - "log": { - "file": { - "path": "/tmp/service_logs/test-log.log" - }, - "level": "INFO", - "logger": "org.jboss.resteasy.resteasy_jaxrs.i18n", - "offset": 928 - }, - "message": "RESTEASY002220: Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication", - "process": { - "thread": { - "name": "ServerService Thread Pool -- 64" - } - }, - "tags": [ - "preserve_original_event", - "keycloak-log" - ] -} \ No newline at end of file diff --git a/packages/keycloak/1.3.1/docs/README.md b/packages/keycloak/1.3.1/docs/README.md deleted file mode 100755 index 07a2892b8d..0000000000 --- a/packages/keycloak/1.3.1/docs/README.md +++ /dev/null @@ -1,207 +0,0 @@ -# Keycloak Integration - -The Keycloak integration collects events from the [Keycloak](https://www.keycloak.org/server/logging) log files. - -To enable logging of all Keycloak events like logins, user creation/updates/deletions.... add the below -``` - - - -``` -to your configuration XML file (ie standalone.xml) under the path below -``` - - - - .... - - - -``` -## Logs - -### log - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| keycloak.admin.operation | Keycloak admin operation; Add, Update, Delete | keyword | -| keycloak.admin.resource.path | Path to affected resource | keyword | -| keycloak.admin.resource.type | Type of keycloak resource being acted upon; Group, User, Client, Scope... | keyword | -| keycloak.client.id | ID of the Keycloak client | keyword | -| keycloak.event_type | Keycloak event type; Login or Admin | keyword | -| keycloak.login.auth_method | Keycloak authentication method (SAML or OpenID Connect) | keyword | -| keycloak.login.auth_session_parent_id | Parent session ID | keyword | -| keycloak.login.auth_session_tab_id | Session Tab ID | keyword | -| keycloak.login.auth_type | OpenID Connect authentication type (code, implicit...) | keyword | -| keycloak.login.code_id | OpenID Connect Code ID | keyword | -| keycloak.login.redirect_uri | Keycloak redirect URL | keyword | -| keycloak.login.type | Event Type | keyword | -| keycloak.realm.id | Keycloak Realm ID | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| process.thread.name | Thread name. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.scheme | | | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.id | Unique identifier of the user. | keyword | - - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2021-10-22T21:01:42.667-05:00", - "agent": { - "ephemeral_id": "3fa6009c-adab-4e39-9c43-05f16ba9ef47", - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "keycloak.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "agent_id_status": "verified", - "dataset": "keycloak.log", - "ingested": "2022-01-01T23:08:55Z", - "original": "2021-10-22 21:01:42,667 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 64) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication", - "timezone": "-05:00" - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "id": "4ccba669f0df47fa3f57a9e4169ae7f1", - "ip": [ - "172.18.0.5" - ], - "mac": [ - "02:42:ac:12:00:05" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.11.0-43-generic", - "name": "CentOS Linux", - "platform": "centos", - "type": "linux", - "version": "7 (Core)" - } - }, - "input": { - "type": "filestream" - }, - "log": { - "file": { - "path": "/tmp/service_logs/test-log.log" - }, - "level": "INFO", - "logger": "org.jboss.resteasy.resteasy_jaxrs.i18n", - "offset": 928 - }, - "message": "RESTEASY002220: Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication", - "process": { - "thread": { - "name": "ServerService Thread Pool -- 64" - } - }, - "tags": [ - "preserve_original_event", - "keycloak-log" - ] -} -``` \ No newline at end of file diff --git a/packages/keycloak/1.3.1/img/keycloak-logo.svg b/packages/keycloak/1.3.1/img/keycloak-logo.svg deleted file mode 100755 index 570bcc1c30..0000000000 --- a/packages/keycloak/1.3.1/img/keycloak-logo.svg +++ /dev/null @@ -1 +0,0 @@ -keycloak_deliverables \ No newline at end of file diff --git a/packages/keycloak/1.3.1/manifest.yml b/packages/keycloak/1.3.1/manifest.yml deleted file mode 100755 index 437ae2779b..0000000000 --- a/packages/keycloak/1.3.1/manifest.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: keycloak -title: Keycloak -version: 1.3.1 -release: ga -description: Keycloak Integration -type: integration -format_version: 1.0.0 -license: basic -categories: [security, network, web] -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -icons: - - src: /img/keycloak-logo.svg - title: Keycloak - size: 256x256 - type: image/svg+xml -policy_templates: - - name: keycloak - title: Keycloak logs - description: Collect logs from Keycloak - inputs: - - type: filestream - title: "Collect Keycloak logs" - description: "Collecting logs from Keycloak" -owner: - github: elastic/security-external-integrations diff --git a/packages/microsoft_defender_endpoint/2.2.1/changelog.yml b/packages/microsoft_defender_endpoint/2.2.1/changelog.yml deleted file mode 100755 index a6750f5a6c..0000000000 --- a/packages/microsoft_defender_endpoint/2.2.1/changelog.yml +++ /dev/null @@ -1,46 +0,0 @@ -# newer versions go on top -- version: "2.2.1" - changes: - - description: Update to Readme to include link to vendor documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3272 -- version: "2.2.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "2.1.0" - changes: - - description: Add possibility to choose azure resource - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "2.0.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "2.0.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2422 -- version: "1.1.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2234 -- version: "1.0.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1971 -- version: "1.0.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1829 -- version: "1.0.0" - changes: - - description: First version - type: enhancement - link: https://github.com/elastic/integrations/pull/1777 diff --git a/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/agent/stream/httpjson.yml.hbs b/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 6d462e94fe..0000000000 --- a/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,45 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.oauth2.client.id: {{client_id}} -auth.oauth2.client.secret: {{client_secret}} -auth.oauth2.token_url: {{login_url}}/{{tenant_id}}/oauth2/token -auth.oauth2.provider: azure -auth.oauth2.azure.resource: {{azure_resource}} -request.url: {{request_url}} -request.method: GET -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -request.transforms: - - set: - target: "header.User-Agent" - value: "MdatpPartner-Elastic-Filebeat/1.0.0" - - set: - target: "url.params.$expand" - value: evidence - - set: - target: "url.params.$filter" - value: 'lastUpdateTime gt [[formatDate .cursor.lastUpdateTime "2006-01-02T15:04:05.9999999Z"]]' - default: 'lastUpdateTime gt [[formatDate (now (parseDuration "-5m")) "2006-01-02T15:04:05.9999999Z"]]' -response.split: - target: body.value - split: - target: body.evidence - keep_parent: true -cursor: - lastUpdateTime: - value: "[[.last_response.body.lastUpdateTime]]" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/agent/stream/log.yml.hbs b/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/agent/stream/log.yml.hbs deleted file mode 100755 index 73636a0a7a..0000000000 --- a/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/agent/stream/log.yml.hbs +++ /dev/null @@ -1,19 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ae0dff63fc..0000000000 --- a/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,326 +0,0 @@ ---- -description: Pipeline for parsing Microsoft Defender for Endpoint logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - remove: - field: - - json.comments - - host - - cloud - ignore_missing: true - -######################### -## ECS General Mapping ## -######################### - - script: - lang: painless - if: ctx?.json != null - params: - values: - - null - - "" - - "-" - - "N/A" - source: | - if (!ctx['json'].empty) { - ctx.json.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); - } - - script: - lang: painless - if: ctx?.json?.evidence != null - params: - values: - - null - - "" - - "-" - - "N/A" - source: | - if (!ctx.json['evidence'].empty) { - ctx.json.evidence.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); - } - - set: - field: cloud.provider - value: azure - - set: - field: '@timestamp' - value: '{{json.alertUpdateTime}}' - if: ctx.json?.alertUpdateTime != null - - rename: - field: json.aadTenantId - target_field: cloud.account.id - ignore_missing: true - - rename: - field: json.machineId - target_field: cloud.instance.id - ignore_missing: true - - rename: - field: json.title - target_field: message - ignore_missing: true - -####################### -## ECS Event Mapping ## -####################### - - set: - field: event.kind - value: alert -# Events returned from the API is always in UTC, so should never use anything else - - set: - field: event.timezone - value: UTC - - set: - field: event.action - value: '{{json.category}}' - if: ctx.json?.category != null - - set: - field: event.provider - value: defender_endpoint - - set: - field: event.created - value: '{{json.alertCreationTime}}' - if: ctx.json?.alertCreationTime != null - - append: - field: event.category - value: host - - append: - field: event.category - value: malware - if: ctx.json?.category == 'Malware' - - append: - field: event.category - value: process - if: ctx.json?.evidence?.entityType == 'Process' - - append: - field: event.type - value: user - if: ctx.json?.evidence?.entityType == 'User' - - append: - field: event.type - value: - - creation - - start - if: ctx.json?.status == 'New' - - append: - field: event.type - value: end - if: ctx.json?.status == 'Resolved' - - rename: - field: json.id - target_field: event.id - ignore_missing: true - - rename: - field: json.firstEventTime - target_field: event.start - ignore_missing: true - - rename: - field: json.lastEventTime - target_field: event.end - ignore_missing: true - - set: - field: event.severity - value: 0 - if: ctx.json?.severity == 'Unspecified' - - set: - field: event.severity - value: 1 - if: ctx.json?.severity == 'Informational' - - set: - field: event.severity - value: 2 - if: ctx.json?.severity == 'Low' - - set: - field: event.severity - value: 3 - if: ctx.json?.severity == 'Medium' - - set: - field: event.severity - value: 4 - if: ctx.json?.severity == 'High' - - script: - lang: painless - if: "ctx?.event?.start != null && ctx?.event?.end != null" - source: > - Instant eventstart = ZonedDateTime.parse(ctx?.event?.start).toInstant(); - Instant eventend = ZonedDateTime.parse(ctx?.event?.end).toInstant(); - ctx.event['duration'] = ChronoUnit.NANOS.between(eventstart, eventend); - -######################## -## ECS Threat Mapping ## -######################## - - set: - field: threat.framework - value: MITRE ATT&CK - if: ctx.json?.category != null - - rename: - field: json.category - target_field: threat.technique.name - ignore_missing: true - - rename: - field: json.description - target_field: rule.description - ignore_missing: true - if: (ctx.json?.description).length() < 1020 - -###################### -## ECS File Mapping ## -###################### - - rename: - field: json.evidence.fileName - target_field: file.name - ignore_missing: true - - rename: - field: json.evidence.sha256 - target_field: file.hash.sha256 - ignore_missing: true - - rename: - field: json.evidence.sha1 - target_field: file.hash.sha1 - ignore_missing: true - - rename: - field: json.evidence.filePath - target_field: file.path - ignore_missing: true - -###################### -## ECS Process Mapping ## -###################### - - rename: - field: json.evidence.processId - target_field: process.pid - ignore_missing: true - - rename: - field: json.evidence.processCommandLine - target_field: process.command_line - ignore_missing: true - - rename: - field: json.evidence.processCreationTime - target_field: process.start - ignore_missing: true - - rename: - field: json.evidence.parentProcessId - target_field: process.parent.pid - ignore_missing: true - - rename: - field: json.evidence.parentProcessCreationTime - target_field: process.parent.start - ignore_missing: true - -########################## -## ECS Observer Mapping ## -########################## - - set: - field: observer.product - value: Defender for Endpoint - - set: - field: observer.vendor - value: Microsoft - - rename: - field: json.detectionSource - target_field: observer.name - ignore_missing: true - -##################### -## ECS URL Mapping ## -##################### - - rename: - field: json.evidence.url - target_field: url.full - ignore_missing: true - if: ctx?.json?.evidence?.url != null - - uri_parts: - field: url.full - ignore_failure: true - if: ctx?.url?.full != null - -###################### -## ECS Host Mapping ## -###################### - - rename: - field: json.computerDnsName - target_field: host.hostname - ignore_missing: true - - set: - field: host.name - value: '{{host.hostname}}' - if: ctx?.host?.hostname != null - -###################### -## ECS User Mapping ## -###################### - - rename: - field: json.relatedUser.userName - target_field: user.name - ignore_missing: true - - rename: - field: json.relatedUser.domainName - target_field: user.domain - ignore_missing: true - - rename: - field: json.evidence.userSid - target_field: user.id - ignore_missing: true - -######################### -## ECS Related Mapping ## -######################### - - append: - field: related.ip - value: '{{json.evidence.ipAddress}}' - if: ctx.json?.evidence?.ipAddress != null - - append: - field: related.user - value: '{{user.name}}' - if: ctx.user?.name != null - - append: - field: related.hash - value: '{{file.hash.sha1}}' - if: ctx.file?.hash?.sha1 != null - - append: - field: related.hash - value: '{{file.hash.sha256}}' - if: ctx.file?.hash?.sha256 != null - - append: - field: related.hosts - value: '{{host.hostname}}' - if: ctx.host?.hostname != null && ctx.host?.hostname != '' - allow_duplicates: false - -############# -## Cleanup ## -############# - - remove: - field: - - json.alertCreationTime - - json.severity - - json.relatedUser - ignore_missing: true - - rename: - field: json - target_field: microsoft.defender_endpoint - ignore_missing: true - - convert: - field: microsoft.defender_endpoint.incidentId - type: string - ignore_missing: true - - convert: - field: microsoft.defender_endpoint.investigationId - type: string - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{_ingest.on_failure_message}}' diff --git a/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/fields/agent.yml b/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/fields/base-fields.yml b/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/fields/base-fields.yml deleted file mode 100755 index fa6e341507..0000000000 --- a/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: microsoft_defender_endpoint -- name: event.dataset - type: constant_keyword - description: Event dataset - value: microsoft_defender_endpoint.log -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/fields/ecs.yml b/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/fields/ecs.yml deleted file mode 100755 index ff1822b5e5..0000000000 --- a/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,205 +0,0 @@ -- description: Unique container id. - name: container.id - type: keyword -- description: Name of the image the container was built on. - name: container.image.name - type: keyword -- description: Container image tags. - name: container.image.tag - type: keyword -- description: Image labels. - name: container.labels - type: object -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: SHA512 hash. - name: file.hash.sha512 - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: Process id. - name: process.parent.pid - type: long -- description: The time the process started. - name: process.parent.start - type: date -- description: Process id. - name: process.pid - type: long -- description: The time the process started. - name: process.start - type: date -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: The description of the rule generating the event. - name: rule.description - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. - name: threat.framework - type: keyword -- description: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - multi_fields: - - name: text - type: match_only_text - name: threat.technique.name - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/fields/fields.yml b/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/fields/fields.yml deleted file mode 100755 index ad1ed731d8..0000000000 --- a/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,72 +0,0 @@ -- name: microsoft.defender_endpoint - type: group - release: ga - fields: - - name: lastUpdateTime - type: date - description: | - The date and time (in UTC) the alert was last updated. - - name: resolvedTime - type: date - description: | - The date and time in which the status of the alert was changed to 'Resolved'. - - name: incidentId - type: keyword - description: | - The Incident ID of the Alert. - - name: investigationId - type: keyword - description: | - The Investigation ID related to the Alert. - - name: investigationState - type: keyword - description: | - The current state of the Investigation. - - name: assignedTo - type: keyword - description: | - Owner of the alert. - - name: status - type: keyword - description: | - Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. - - name: classification - type: keyword - description: | - Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. - - name: determination - type: keyword - description: | - Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'. - - name: threatFamilyName - type: keyword - description: | - Threat family. - - name: rbacGroupName - type: keyword - description: | - User group related to the alert - - name: evidence.domainName - type: keyword - description: | - Domain name related to the alert - - name: evidence.ipAddress - type: ip - description: | - IP address involved in the alert - - name: evidence.aadUserId - type: keyword - description: | - ID of the user involved in the alert - - name: evidence.accountName - type: keyword - description: | - Username of the user involved in the alert - - name: evidence.entityType - type: keyword - description: | - The type of evidence - - name: evidence.userPrincipalName - type: keyword - description: | - Principal name of the user involved in the alert diff --git a/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/manifest.yml b/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/manifest.yml deleted file mode 100755 index 02ab2e3b68..0000000000 --- a/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/manifest.yml +++ /dev/null @@ -1,129 +0,0 @@ -type: logs -title: Microsoft Defender for Endpoint logs -streams: - - input: httpjson - template_path: httpjson.yml.hbs - title: Microsoft Defender for Endpoint logs - description: Collect Microsoft Defender for Endpoint logs from API - vars: - - name: client_id - type: text - title: Client ID - description: The client ID related to creating a new application on Azure. - multi: false - required: true - show_user: true - - name: client_secret - type: text - title: Client Secret - description: The secret related to the client ID. - multi: false - required: true - show_user: true - - name: tenant_id - type: text - title: Tenant ID - description: The tenant ID related to creating a new application on Azure. - multi: false - required: true - show_user: true - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - default: 5m - description: The interval between requests to the HTTP API. - - name: azure_resource - type: text - title: Azure Resource - multi: false - required: true - default: https://api.securitycenter.windows.com/ - show_user: false - description: URL to proxy connections in the form of http[s]://:@: - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@: - - name: login_url - type: text - title: OAuth Server URL - required: true - show_user: false - default: https://login.microsoftonline.com/ - description: "URL of Login server 'tenant-id/oauth2/token added automatically'" - - name: request_url - type: text - title: Security Center URL - required: true - show_user: false - default: https://api.securitycenter.windows.com/api/alerts - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - microsoft-defender-endpoint - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: logfile - template_path: log.yml.hbs - title: Microsoft Defender for Endpoint logs - description: Collect Microsoft Defender for Endpoint logs from a file - enabled: false - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - microsoft-defender-endpoint - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/sample_event.json b/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/sample_event.json deleted file mode 100755 index 6bc9e99103..0000000000 --- a/packages/microsoft_defender_endpoint/2.2.1/data_stream/log/sample_event.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "@timestamp": "2022-01-02T01:30:05.670Z", - "agent": { - "ephemeral_id": "9cc31363-7ffb-4763-9bec-cef372647d15", - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "cloud": { - "account": { - "id": "a839b112-1253-6432-9bf6-94542403f21c" - }, - "instance": { - "id": "111e6dd8c833c8a052ea231ec1b19adaf497b625" - }, - "provider": "azure" - }, - "data_stream": { - "dataset": "microsoft_defender_endpoint.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "Execution", - "agent_id_status": "verified", - "category": [ - "host" - ], - "created": "2021-01-26T20:33:57.7220239Z", - "dataset": "microsoft_defender_endpoint.log", - "duration": 101466100, - "end": "2021-01-26T20:31:33.0577322Z", - "id": "da637472900382838869_1364969609", - "ingested": "2022-01-02T01:30:06Z", - "kind": "alert", - "provider": "defender_endpoint", - "severity": 2, - "start": "2021-01-26T20:31:32.9562661Z", - "timezone": "UTC", - "type": [ - "user", - "creation", - "start" - ] - }, - "host": { - "hostname": "temp123.middleeast.corp.microsoft.com", - "name": "temp123.middleeast.corp.microsoft.com" - }, - "input": { - "type": "httpjson" - }, - "message": "Low-reputation arbitrary code executed by signed executable", - "microsoft": { - "defender_endpoint": { - "evidence": { - "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627", - "accountName": "name", - "domainName": "DOMAIN", - "entityType": "User", - "userPrincipalName": "temp123@microsoft.com" - }, - "incidentId": "1126093", - "investigationState": "Queued", - "lastUpdateTime": "2021-01-26T20:33:59.2Z", - "rbacGroupName": "A", - "status": "New" - } - }, - "observer": { - "name": "WindowsDefenderAtp", - "product": "Defender for Endpoint", - "vendor": "Microsoft" - }, - "related": { - "hosts": [ - "temp123.middleeast.corp.microsoft.com" - ], - "user": [ - "temp123" - ] - }, - "rule": { - "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C\u0026C) server." - }, - "tags": [ - "microsoft-defender-endpoint", - "forwarded" - ], - "threat": { - "framework": "MITRE ATT\u0026CK", - "technique": { - "name": "Execution" - } - }, - "user": { - "domain": "DOMAIN", - "id": "S-1-5-21-11111607-1111760036-109187956-75141", - "name": "temp123" - } -} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/2.2.1/docs/README.md b/packages/microsoft_defender_endpoint/2.2.1/docs/README.md deleted file mode 100755 index deff335cdc..0000000000 --- a/packages/microsoft_defender_endpoint/2.2.1/docs/README.md +++ /dev/null @@ -1,270 +0,0 @@ -# Microsoft Defender for Endpoint integration - -This integration is for [Microsoft Defender for Endpoint](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) logs. - -## Setting up - -To allow the integration to ingest data from the Microsoft Defender API, you need to create a new application on your Azure domain. The procedure to create an application is found on the [Create a new Azure Application](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp) documentation page. - -> Note: When giving the application the API permissions described in the documentation (`Windows Defender ATP Alert.Read.All`), it will only grant access to read alerts from ATP and nothing else in the Azure Domain - -After the application has been created, it should contain 3 values that you need to apply to the module configuration. - -These values are: - -- Client ID -- Client Secret -- Tenant ID - -## ECS mappings - -| Defender for Endpoint fields | ECS Fields | -| ---------------------------------- | --------------------- | -| alertCreationTime | @timestamp | -| aadTenantId | cloud.account.id | -| category | threat.technique.name | -| computerDnsName | host.hostname | -| description | rule.description | -| detectionSource | observer.name | -| evidence.fileName | file.name | -| evidence.filePath | file.path | -| evidence.processId | process.pid | -| evidence.processCommandLine | process.command_line | -| evidence.processCreationTime | process.start | -| evidence.parentProcessId | process.parent.pid | -| evidence.parentProcessCreationTime | process.parent.start | -| evidence.sha1 | file.hash.sha1 | -| evidence.sha256 | file.hash.sha256 | -| evidence.url | url.full | -| firstEventTime | event.start | -| id | event.id | -| lastEventTime | event.end | -| machineId | cloud.instance.id | -| title | message | -| severity | event.severity | - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2022-01-02T01:30:05.670Z", - "agent": { - "ephemeral_id": "9cc31363-7ffb-4763-9bec-cef372647d15", - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "cloud": { - "account": { - "id": "a839b112-1253-6432-9bf6-94542403f21c" - }, - "instance": { - "id": "111e6dd8c833c8a052ea231ec1b19adaf497b625" - }, - "provider": "azure" - }, - "data_stream": { - "dataset": "microsoft_defender_endpoint.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "Execution", - "agent_id_status": "verified", - "category": [ - "host" - ], - "created": "2021-01-26T20:33:57.7220239Z", - "dataset": "microsoft_defender_endpoint.log", - "duration": 101466100, - "end": "2021-01-26T20:31:33.0577322Z", - "id": "da637472900382838869_1364969609", - "ingested": "2022-01-02T01:30:06Z", - "kind": "alert", - "provider": "defender_endpoint", - "severity": 2, - "start": "2021-01-26T20:31:32.9562661Z", - "timezone": "UTC", - "type": [ - "user", - "creation", - "start" - ] - }, - "host": { - "hostname": "temp123.middleeast.corp.microsoft.com", - "name": "temp123.middleeast.corp.microsoft.com" - }, - "input": { - "type": "httpjson" - }, - "message": "Low-reputation arbitrary code executed by signed executable", - "microsoft": { - "defender_endpoint": { - "evidence": { - "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627", - "accountName": "name", - "domainName": "DOMAIN", - "entityType": "User", - "userPrincipalName": "temp123@microsoft.com" - }, - "incidentId": "1126093", - "investigationState": "Queued", - "lastUpdateTime": "2021-01-26T20:33:59.2Z", - "rbacGroupName": "A", - "status": "New" - } - }, - "observer": { - "name": "WindowsDefenderAtp", - "product": "Defender for Endpoint", - "vendor": "Microsoft" - }, - "related": { - "hosts": [ - "temp123.middleeast.corp.microsoft.com" - ], - "user": [ - "temp123" - ] - }, - "rule": { - "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C\u0026C) server." - }, - "tags": [ - "microsoft-defender-endpoint", - "forwarded" - ], - "threat": { - "framework": "MITRE ATT\u0026CK", - "technique": { - "name": "Execution" - } - }, - "user": { - "domain": "DOMAIN", - "id": "S-1-5-21-11111607-1111760036-109187956-75141", - "name": "temp123" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.image.tag | Container image tags. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.hash.sha512 | SHA512 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| microsoft.defender_endpoint.assignedTo | Owner of the alert. | keyword | -| microsoft.defender_endpoint.classification | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. | keyword | -| microsoft.defender_endpoint.determination | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'. | keyword | -| microsoft.defender_endpoint.evidence.aadUserId | ID of the user involved in the alert | keyword | -| microsoft.defender_endpoint.evidence.accountName | Username of the user involved in the alert | keyword | -| microsoft.defender_endpoint.evidence.domainName | Domain name related to the alert | keyword | -| microsoft.defender_endpoint.evidence.entityType | The type of evidence | keyword | -| microsoft.defender_endpoint.evidence.ipAddress | IP address involved in the alert | ip | -| microsoft.defender_endpoint.evidence.userPrincipalName | Principal name of the user involved in the alert | keyword | -| microsoft.defender_endpoint.incidentId | The Incident ID of the Alert. | keyword | -| microsoft.defender_endpoint.investigationId | The Investigation ID related to the Alert. | keyword | -| microsoft.defender_endpoint.investigationState | The current state of the Investigation. | keyword | -| microsoft.defender_endpoint.lastUpdateTime | The date and time (in UTC) the alert was last updated. | date | -| microsoft.defender_endpoint.rbacGroupName | User group related to the alert | keyword | -| microsoft.defender_endpoint.resolvedTime | The date and time in which the status of the alert was changed to 'Resolved'. | date | -| microsoft.defender_endpoint.status | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. | keyword | -| microsoft.defender_endpoint.threatFamilyName | Threat family. | keyword | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.start | The time the process started. | date | -| process.pid | Process id. | long | -| process.start | The time the process started. | date | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | -| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - diff --git a/packages/microsoft_defender_endpoint/2.2.1/img/filebeat-defender-atp-overview.png b/packages/microsoft_defender_endpoint/2.2.1/img/filebeat-defender-atp-overview.png deleted file mode 100755 index 7df250e2ae..0000000000 Binary files a/packages/microsoft_defender_endpoint/2.2.1/img/filebeat-defender-atp-overview.png and /dev/null differ diff --git a/packages/microsoft_defender_endpoint/2.2.1/img/logo.svg b/packages/microsoft_defender_endpoint/2.2.1/img/logo.svg deleted file mode 100755 index 8392768616..0000000000 --- a/packages/microsoft_defender_endpoint/2.2.1/img/logo.svg +++ /dev/null @@ -1,25 +0,0 @@ - - - - - - diff --git a/packages/microsoft_defender_endpoint/2.2.1/img/siem-alerts-cs.jpg b/packages/microsoft_defender_endpoint/2.2.1/img/siem-alerts-cs.jpg deleted file mode 100755 index b74edfe229..0000000000 Binary files a/packages/microsoft_defender_endpoint/2.2.1/img/siem-alerts-cs.jpg and /dev/null differ diff --git a/packages/microsoft_defender_endpoint/2.2.1/img/siem-events-cs.jpg b/packages/microsoft_defender_endpoint/2.2.1/img/siem-events-cs.jpg deleted file mode 100755 index 9839f73821..0000000000 Binary files a/packages/microsoft_defender_endpoint/2.2.1/img/siem-events-cs.jpg and /dev/null differ diff --git a/packages/microsoft_defender_endpoint/2.2.1/kibana/dashboard/microsoft_defender_endpoint-65402c30-ca6a-11ea-9d4d-9737a63aaa55.json b/packages/microsoft_defender_endpoint/2.2.1/kibana/dashboard/microsoft_defender_endpoint-65402c30-ca6a-11ea-9d4d-9737a63aaa55.json deleted file mode 100755 index c9bffa7d61..0000000000 --- a/packages/microsoft_defender_endpoint/2.2.1/kibana/dashboard/microsoft_defender_endpoint-65402c30-ca6a-11ea-9d4d-9737a63aaa55.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "attributes": { - "description": "Microsoft Defender for Endpoint Alert Overview", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:microsoft_defender_endpoint.log\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"8343f7ea-b977-44bf-bf81-6d41742093a4\",\"w\":4,\"x\":0,\"y\":0},\"panelIndex\":\"8343f7ea-b977-44bf-bf81-6d41742093a4\",\"panelRefName\":\"panel_0\",\"version\":\"7.8.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":24,\"i\":\"74d36139-4d22-44d4-bfc8-020c575febb1\",\"w\":25,\"x\":4,\"y\":0},\"panelIndex\":\"74d36139-4d22-44d4-bfc8-020c575febb1\",\"panelRefName\":\"panel_1\",\"version\":\"7.8.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":24,\"i\":\"a3e140ed-a0ed-4da0-8142-72d68fd7c5e5\",\"w\":19,\"x\":29,\"y\":0},\"panelIndex\":\"a3e140ed-a0ed-4da0-8142-72d68fd7c5e5\",\"panelRefName\":\"panel_2\",\"title\":\"Techniques [Microsoft Defender for Endpoint]\",\"version\":\"7.8.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"f3843ab0-8b0f-4f64-805c-4ab0d0965d8a\",\"w\":4,\"x\":0,\"y\":6},\"panelIndex\":\"f3843ab0-8b0f-4f64-805c-4ab0d0965d8a\",\"panelRefName\":\"panel_3\",\"version\":\"7.8.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"16e7059b-70a5-4ea4-b622-9015d7430419\",\"w\":4,\"x\":0,\"y\":12},\"panelIndex\":\"16e7059b-70a5-4ea4-b622-9015d7430419\",\"panelRefName\":\"panel_4\",\"version\":\"7.8.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"d8a5a667-ed0b-42ed-ae7d-edbfa722677f\",\"w\":4,\"x\":0,\"y\":18},\"panelIndex\":\"d8a5a667-ed0b-42ed-ae7d-edbfa722677f\",\"panelRefName\":\"panel_5\",\"version\":\"7.8.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"cb8de6bb-1096-427d-834e-210963aad3e5\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"cb8de6bb-1096-427d-834e-210963aad3e5\",\"panelRefName\":\"panel_6\",\"version\":\"7.8.1\"}]", - "timeRestore": false, - "title": "[Microsoft Defender for Endpoint] Overview", - "version": 1 - }, - "id": "microsoft_defender_endpoint-65402c30-ca6a-11ea-9d4d-9737a63aaa55", - "migrationVersion": { - "dashboard": "7.11.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "microsoft_defender_endpoint-3c64f400-ca68-11ea-9d4d-9737a63aaa55", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "microsoft_defender_endpoint-e415af10-ca67-11ea-9d4d-9737a63aaa55", - "name": "panel_1", - "type": "lens" - }, - { - "id": "microsoft_defender_endpoint-14d367f0-ca68-11ea-9d4d-9737a63aaa55", - "name": "panel_2", - "type": "lens" - }, - { - "id": "microsoft_defender_endpoint-9e902dc0-ca68-11ea-9d4d-9737a63aaa55", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "microsoft_defender_endpoint-b9fcbf60-ca68-11ea-9d4d-9737a63aaa55", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "microsoft_defender_endpoint-62f081c0-ca68-11ea-9d4d-9737a63aaa55", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "microsoft_defender_endpoint-00e8fca0-ca68-11ea-9d4d-9737a63aaa55", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/2.2.1/kibana/lens/microsoft_defender_endpoint-14d367f0-ca68-11ea-9d4d-9737a63aaa55.json b/packages/microsoft_defender_endpoint/2.2.1/kibana/lens/microsoft_defender_endpoint-14d367f0-ca68-11ea-9d4d-9737a63aaa55.json deleted file mode 100755 index 028339d995..0000000000 --- a/packages/microsoft_defender_endpoint/2.2.1/kibana/lens/microsoft_defender_endpoint-14d367f0-ca68-11ea-9d4d-9737a63aaa55.json +++ /dev/null @@ -1,139 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "f93e2634-0dd5-4aec-b6de-45284dd39630": { - "columnOrder": [ - "12ecaf1f-b957-4c15-8f43-8f043a7d1d51", - "0f67be87-cc6f-48e7-8afd-d9401037d006" - ], - "columns": { - "0f67be87-cc6f-48e7-8afd-d9401037d006": { - "dataType": "number", - "isBucketed": false, - "label": "Number of techniques", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "12ecaf1f-b957-4c15-8f43-8f043a7d1d51": { - "dataType": "string", - "isBucketed": true, - "label": "Related MITRE attach techniques", - "operationType": "terms", - "params": { - "orderBy": { - "type": "alphabetical" - }, - "orderDirection": "asc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "threat.technique.name" - } - } - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "filter-index-pattern-0", - "key": "event.integration", - "negate": false, - "params": { - "query": "microsoft_defender_endpoint" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.integration": "microsoft_defender_endpoint" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "filter-index-pattern-1", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "microsoft_defender_endpoint.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "microsoft_defender_endpoint.log" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "12ecaf1f-b957-4c15-8f43-8f043a7d1d51" - ], - "layerId": "f93e2634-0dd5-4aec-b6de-45284dd39630", - "legendDisplay": "default", - "metric": "0f67be87-cc6f-48e7-8afd-d9401037d006", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "treemap" - } - }, - "title": "Techniques [Microsoft Defender for Endpoint]", - "visualizationType": "lnsPie" - }, - "id": "microsoft_defender_endpoint-14d367f0-ca68-11ea-9d4d-9737a63aaa55", - "migrationVersion": { - "lens": "7.11.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-f93e2634-0dd5-4aec-b6de-45284dd39630", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-1", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/2.2.1/kibana/lens/microsoft_defender_endpoint-e415af10-ca67-11ea-9d4d-9737a63aaa55.json b/packages/microsoft_defender_endpoint/2.2.1/kibana/lens/microsoft_defender_endpoint-e415af10-ca67-11ea-9d4d-9737a63aaa55.json deleted file mode 100755 index e3b06ec51c..0000000000 --- a/packages/microsoft_defender_endpoint/2.2.1/kibana/lens/microsoft_defender_endpoint-e415af10-ca67-11ea-9d4d-9737a63aaa55.json +++ /dev/null @@ -1,164 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "ac550ae9-6e17-4944-9545-25bbe83d9dbb": { - "columnOrder": [ - "19ade524-0042-4ecd-ac59-9696c8c2e225", - "677e5501-ca31-435c-8eab-38b5297e54c2", - "27212c7c-83ee-4292-a4c6-396d9b77dce6" - ], - "columns": { - "19ade524-0042-4ecd-ac59-9696c8c2e225": { - "dataType": "number", - "isBucketed": true, - "label": "Top values of event.severity", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "27212c7c-83ee-4292-a4c6-396d9b77dce6", - "type": "column" - }, - "orderDirection": "desc", - "size": 6 - }, - "scale": "ordinal", - "sourceField": "event.severity" - }, - "27212c7c-83ee-4292-a4c6-396d9b77dce6": { - "dataType": "number", - "isBucketed": false, - "label": "Number of incidents", - "operationType": "cardinality", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "microsoft.defender_endpoint.incidentId" - }, - "677e5501-ca31-435c-8eab-38b5297e54c2": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "24h" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - } - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "filter-index-pattern-0", - "key": "event.integration", - "negate": false, - "params": { - "query": "microsoft_defender_endpoint" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.integration": "microsoft_defender_endpoint" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "filter-index-pattern-1", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "microsoft_defender_endpoint.log" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "microsoft_defender_endpoint.log" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "accessors": [ - "27212c7c-83ee-4292-a4c6-396d9b77dce6" - ], - "layerId": "ac550ae9-6e17-4944-9545-25bbe83d9dbb", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "19ade524-0042-4ecd-ac59-9696c8c2e225", - "xAccessor": "677e5501-ca31-435c-8eab-38b5297e54c2" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "line" - } - }, - "title": "New Incidents [Microsoft Defender for Endpoint]", - "visualizationType": "lnsXY" - }, - "id": "microsoft_defender_endpoint-e415af10-ca67-11ea-9d4d-9737a63aaa55", - "migrationVersion": { - "lens": "7.11.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-ac550ae9-6e17-4944-9545-25bbe83d9dbb", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-1", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/2.2.1/kibana/visualization/microsoft_defender_endpoint-00e8fca0-ca68-11ea-9d4d-9737a63aaa55.json b/packages/microsoft_defender_endpoint/2.2.1/kibana/visualization/microsoft_defender_endpoint-00e8fca0-ca68-11ea-9d4d-9737a63aaa55.json deleted file mode 100755 index a8d751dea2..0000000000 --- a/packages/microsoft_defender_endpoint/2.2.1/kibana/visualization/microsoft_defender_endpoint-00e8fca0-ca68-11ea-9d4d-9737a63aaa55.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "Microsoft Defender for Endpoint Incident Table", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"microsoft_defender_endpoint.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"microsoft_defender_endpoint.\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_defender_endpoint.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_defender_endpoint.log\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Incident Table [Microsoft Defender for Endpoint]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"8\",\"params\":{\"aggregate\":\"concat\",\"field\":\"@timestamp\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Incident ID\",\"field\":\"microsoft.defender_endpoint.incidentId\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Current Status\",\"field\":\"microsoft.defender_endpoint.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Assigned To\",\"field\":\"microsoft.defender_endpoint.assignedTo\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"9\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"event.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"10\",\"params\":{\"customLabel\":\"Category\",\"field\":\"threat.technique.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Description\",\"field\":\"rule.description\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"row\":true,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Incident Table [Microsoft Defender for Endpoint]\",\"type\":\"table\"}" - }, - "id": "microsoft_defender_endpoint-00e8fca0-ca68-11ea-9d4d-9737a63aaa55", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/2.2.1/kibana/visualization/microsoft_defender_endpoint-3c64f400-ca68-11ea-9d4d-9737a63aaa55.json b/packages/microsoft_defender_endpoint/2.2.1/kibana/visualization/microsoft_defender_endpoint-3c64f400-ca68-11ea-9d4d-9737a63aaa55.json deleted file mode 100755 index 519a8aa05a..0000000000 --- a/packages/microsoft_defender_endpoint/2.2.1/kibana/visualization/microsoft_defender_endpoint-3c64f400-ca68-11ea-9d4d-9737a63aaa55.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "Microsoft Defender for Endpoint Counter for new incidents", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"microsoft_defender_endpoint.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"microsoft_defender_endpoint.\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_defender_endpoint.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_defender_endpoint.log\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"microsoft_defender_endpoint.log\\\" \"}}" - }, - "title": "New Incidents Counter [Microsoft Defender for Endpoint]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"New Incidents\",\"field\":\"microsoft.defender_endpoint.incidentId\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"New Incidents Counter [Microsoft Defender for Endpoint]\",\"type\":\"metric\"}" - }, - "id": "microsoft_defender_endpoint-3c64f400-ca68-11ea-9d4d-9737a63aaa55", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/2.2.1/kibana/visualization/microsoft_defender_endpoint-62f081c0-ca68-11ea-9d4d-9737a63aaa55.json b/packages/microsoft_defender_endpoint/2.2.1/kibana/visualization/microsoft_defender_endpoint-62f081c0-ca68-11ea-9d4d-9737a63aaa55.json deleted file mode 100755 index c2f78c9696..0000000000 --- a/packages/microsoft_defender_endpoint/2.2.1/kibana/visualization/microsoft_defender_endpoint-62f081c0-ca68-11ea-9d4d-9737a63aaa55.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "Microsoft Defender for Endpoint counter for related Users", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"microsoft_defender_endpoint.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"microsoft_defender_endpoint.\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_defender_endpoint.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_defender_endpoint.log\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"microsoft_defender_endpoint.log\\\" \"}}" - }, - "title": "Related Users Counter [Microsoft Defender for Endpoint]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Related Users\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Related Users Counter [Microsoft Defender for Endpoint]\",\"type\":\"metric\"}" - }, - "id": "microsoft_defender_endpoint-62f081c0-ca68-11ea-9d4d-9737a63aaa55", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/2.2.1/kibana/visualization/microsoft_defender_endpoint-9e902dc0-ca68-11ea-9d4d-9737a63aaa55.json b/packages/microsoft_defender_endpoint/2.2.1/kibana/visualization/microsoft_defender_endpoint-9e902dc0-ca68-11ea-9d4d-9737a63aaa55.json deleted file mode 100755 index 915fcf1d72..0000000000 --- a/packages/microsoft_defender_endpoint/2.2.1/kibana/visualization/microsoft_defender_endpoint-9e902dc0-ca68-11ea-9d4d-9737a63aaa55.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "Microsoft Defender for Endpoint counter for related domains", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"microsoft_defender_endpoint.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"microsoft_defender_endpoint.\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_defender_endpoint.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_defender_endpoint.log\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"microsoft_defender_endpoint.log\\\" \"}}" - }, - "title": "Domains Counter [Microsoft Defender for Endpoint]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Related Domains\",\"field\":\"microsoft.defender_endpoint.evidence.domainName\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Domains Counter [Microsoft Defender for Endpoint]\",\"type\":\"metric\"}" - }, - "id": "microsoft_defender_endpoint-9e902dc0-ca68-11ea-9d4d-9737a63aaa55", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/2.2.1/kibana/visualization/microsoft_defender_endpoint-b9fcbf60-ca68-11ea-9d4d-9737a63aaa55.json b/packages/microsoft_defender_endpoint/2.2.1/kibana/visualization/microsoft_defender_endpoint-b9fcbf60-ca68-11ea-9d4d-9737a63aaa55.json deleted file mode 100755 index 7c96dfb53c..0000000000 --- a/packages/microsoft_defender_endpoint/2.2.1/kibana/visualization/microsoft_defender_endpoint-b9fcbf60-ca68-11ea-9d4d-9737a63aaa55.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "Microsoft Defender for Endpoint counter for related IP Addresses", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"microsoft_defender_endpoint.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"microsoft_defender_endpoint.\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_defender_endpoint.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_defender_endpoint.log\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"microsoft_defender_endpoint.log\\\" \"}}" - }, - "title": "IP Addresses Counter [Microsoft Defender for Endpoint]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Related Networks\",\"field\":\"microsoft.defender_endpoint.evidence.ipAddress\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"IP Addresses Counter [Microsoft Defender for Endpoint]\",\"type\":\"metric\"}" - }, - "id": "microsoft_defender_endpoint-b9fcbf60-ca68-11ea-9d4d-9737a63aaa55", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/2.2.1/manifest.yml b/packages/microsoft_defender_endpoint/2.2.1/manifest.yml deleted file mode 100755 index 7613fb4628..0000000000 --- a/packages/microsoft_defender_endpoint/2.2.1/manifest.yml +++ /dev/null @@ -1,45 +0,0 @@ -format_version: 1.0.0 -name: microsoft_defender_endpoint -title: Microsoft Defender for Endpoint -version: 2.2.1 -description: Collect logs from Microsoft Defender for Endpoint with Elastic Agent. -categories: - - "network" - - "security" - - "azure" -release: ga -license: basic -type: integration -conditions: - kibana.version: ^7.14.1 || ^8.0.0 -policy_templates: - - name: microsoft_defender_endpoint - title: Microsoft Defender for Endpoint - description: Collect logs from Microsoft Defender for Endpoint - inputs: - - type: httpjson - title: "Collect Microsoft Defender for Endpoint logs via API" - description: "Collecting Defender for Endpoint logs via API" - - type: logfile - title: "Collect Microsoft Defender for Endpoint logs via file" - description: "Collecting Defender for Endpoint logs via file" -icons: - - src: /img/logo.svg - title: Microsoft Defender for Endpoint logo - size: 32x32 - type: image/svg+xml -screenshots: - - src: /img/filebeat-defender-atp-overview.png - title: Defender Endpoint overview - size: 2551x1315 - type: image/png - - src: /img/siem-alerts-cs.jpg - title: SIEM alerts CS - size: 3360x1776 - type: image/jpg - - src: /img/siem-events-cs.jpg - title: SIEM events CS - size: 3360x1776 - type: image/jpg -owner: - github: elastic/security-external-integrations diff --git a/packages/network_traffic/1.2.0/changelog.yml b/packages/network_traffic/1.2.0/changelog.yml deleted file mode 100755 index 21cb64a16d..0000000000 --- a/packages/network_traffic/1.2.0/changelog.yml +++ /dev/null @@ -1,144 +0,0 @@ -# newer versions go on top -- version: "1.2.0" - changes: - - description: Add option to monitor processes. - type: enhancement - link: https://github.com/elastic/integrations/pull/3456 -- version: "1.1.0" - changes: - - description: Add configuration documentation. - type: enhancement - link: https://github.com/elastic/integrations/pull/3371 -- version: "1.0.2" - changes: - - description: Remove invalid value from `event.category` for TLS and Thrift - type: bugfix - link: https://github.com/elastic/integrations/pull/3409 -- version: "1.0.1" - changes: - - description: Remove invalid value from `event.category`. - type: bugfix - link: https://github.com/elastic/integrations/pull/3384 -- version: "1.0.0" - changes: - - description: Release as GA. - type: enhancement - link: https://github.com/elastic/integrations/pull/3355 -- version: "0.10.1" - changes: - - description: Remove invalid value from `event.category` in SIP data set. - type: bugfix - link: https://github.com/elastic/integrations/pull/3343 -- version: "0.10.0" - changes: - - description: Add configuration options for each protocol. - type: enhancement - link: https://github.com/elastic/integrations/pull/3157 -- version: "0.9.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "0.8.2" - changes: - - description: Add missing field mappings to DNS and TLS data streams. - type: bugfix - link: https://github.com/elastic/integrations/pull/3078 -- version: "0.8.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.8.0" - changes: - - description: Change release stability to beta. - type: enhancement - link: https://github.com/elastic/integrations/pull/2793 -- version: "0.7.1" - changes: - - description: Fix mapping for tls.detailed.client_certificate_chain. - type: bugfix - link: https://github.com/elastic/integrations/pull/2793 -- version: "0.7.0" - changes: - - description: Add dashboards. Update the Kibana constraint to require 7.17.0 or 8.0.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/2762 -- version: "0.6.3" - changes: - - description: Add license note to README. - type: bugfix - link: https://github.com/elastic/integrations/pull/2809 -- version: "0.6.2" - changes: - - description: Add fields for TLS random data and OCSP status. - type: enhancement - link: https://github.com/elastic/integrations/pull/2703 -- version: "0.6.1" - changes: - - description: Remove unused field metadata. - type: enhancement - link: https://github.com/elastic/integrations/pull/2648 -- version: "0.6.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2426 -- version: "0.5.1" - changes: - - description: Fix mapping for tls.detailed.server_certificate_chain - type: bugfix - link: https://github.com/elastic/integrations/pull/2517 -- version: "0.5.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2224 -- version: "0.4.2" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2097 -- version: "0.4.1" - changes: - - description: Update Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1997 - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1975 -- version: "0.4.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1669 -- version: "0.3.0" - changes: - - description: Change title to Network Packet Capture. Added timeout/period config to flows data stream. - type: enhancement - link: https://github.com/elastic/integrations/pull/1764 -- version: "0.2.2" - changes: - - description: Requires version 7.14.1 of the stack - type: bugfix - link: https://github.com/elastic/integrations/pull/1541 -- version: "0.2.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.2.0" - changes: - - description: Update documentation to fit mdx spec - type: enhancement - link: https://github.com/elastic/integrations/pull/1401 -- version: "0.1.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/21 diff --git a/packages/network_traffic/1.2.0/data_stream/amqp/agent/stream/amqp.yml.hbs b/packages/network_traffic/1.2.0/data_stream/amqp/agent/stream/amqp.yml.hbs deleted file mode 100755 index e22e20e774..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/amqp/agent/stream/amqp.yml.hbs +++ /dev/null @@ -1,53 +0,0 @@ -type: amqp -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if max_body_length}} -max_body_length: {{max_body_length}} -{{/if}} -{{#if parse_headers}} -parse_headers: {{parse_headers}} -{{/if}} -{{#if parse_arguments}} -parse_arguments: {{parse_arguments}} -{{/if}} -{{#if hide_connection_information}} -hide_connection_information: {{hide_connection_information}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.2.0/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.2.0/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index dd8f95ef44..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing amqp traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.2.0/data_stream/amqp/fields/agent.yml b/packages/network_traffic/1.2.0/data_stream/amqp/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/amqp/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.2.0/data_stream/amqp/fields/base.yml b/packages/network_traffic/1.2.0/data_stream/amqp/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/amqp/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.2.0/data_stream/amqp/fields/beats.yml b/packages/network_traffic/1.2.0/data_stream/amqp/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/amqp/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.2.0/data_stream/amqp/fields/ecs.yml b/packages/network_traffic/1.2.0/data_stream/amqp/fields/ecs.yml deleted file mode 100755 index da1822dec9..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/amqp/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.2.0/data_stream/amqp/fields/protocol.yml b/packages/network_traffic/1.2.0/data_stream/amqp/fields/protocol.yml deleted file mode 100755 index 4b87cf176c..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/amqp/fields/protocol.yml +++ /dev/null @@ -1,202 +0,0 @@ -- name: amqp - type: group - fields: - - name: reply-code - type: long - description: > - AMQP reply code to an error, similar to http reply-code - - example: 404 - - name: reply-text - type: keyword - description: > - Text explaining the error. - - - name: class-id - type: long - description: > - Failing method class. - - - name: method-id - type: long - description: > - Failing method ID. - - - name: exchange - type: keyword - description: > - Name of the exchange. - - - name: exchange-type - type: keyword - description: > - Exchange type. - - example: fanout - - name: passive - type: boolean - description: > - If set, do not create exchange/queue. - - - name: durable - type: boolean - description: > - If set, request a durable exchange/queue. - - - name: exclusive - type: boolean - description: > - If set, request an exclusive queue. - - - name: auto-delete - type: boolean - description: > - If set, auto-delete queue when unused. - - - name: no-wait - type: boolean - description: > - If set, the server will not respond to the method. - - - name: consumer-tag - type: keyword - description: > - Identifier for the consumer, valid within the current channel. - - - name: delivery-tag - type: long - description: > - The server-assigned and channel-specific delivery tag. - - - name: message-count - type: long - description: > - The number of messages in the queue, which will be zero for newly-declared queues. - - - name: consumer-count - type: long - description: > - The number of consumers of a queue. - - - name: routing-key - type: keyword - description: > - Message routing key. - - - name: no-ack - type: boolean - description: > - If set, the server does not expect acknowledgements for messages. - - - name: no-local - type: boolean - description: > - If set, the server will not send messages to the connection that published them. - - - name: if-unused - type: boolean - description: > - Delete only if unused. - - - name: if-empty - type: boolean - description: > - Delete only if empty. - - - name: queue - type: keyword - description: > - The queue name identifies the queue within the vhost. - - - name: redelivered - type: boolean - description: > - Indicates that the message has been previously delivered to this or another client. - - - name: multiple - type: boolean - description: > - Acknowledge multiple messages. - - - name: arguments - type: object - description: > - Optional additional arguments passed to some methods. Can be of various types. - - - name: mandatory - type: boolean - description: > - Indicates mandatory routing. - - - name: immediate - type: boolean - description: > - Request immediate delivery. - - - name: content-type - type: keyword - description: > - MIME content type. - - example: text/plain - - name: content-encoding - type: keyword - description: > - MIME content encoding. - - - name: headers - type: object - object_type: keyword - description: > - Message header field table. - - - name: delivery-mode - type: keyword - description: > - Non-persistent (1) or persistent (2). - - - name: priority - type: long - description: > - Message priority, 0 to 9. - - - name: correlation-id - type: keyword - description: > - Application correlation identifier. - - - name: reply-to - type: keyword - description: > - Address to reply to. - - - name: expiration - type: keyword - description: > - Message expiration specification. - - - name: message-id - type: keyword - description: > - Application message identifier. - - - name: timestamp - type: keyword - description: > - Message timestamp. - - - name: type - type: keyword - description: > - Message type name. - - - name: user-id - type: keyword - description: > - Creating user id. - - - name: app-id - type: keyword - description: > - Creating application id. - diff --git a/packages/network_traffic/1.2.0/data_stream/amqp/manifest.yml b/packages/network_traffic/1.2.0/data_stream/amqp/manifest.yml deleted file mode 100755 index a94af8b08b..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/amqp/manifest.yml +++ /dev/null @@ -1,114 +0,0 @@ -title: AMQP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5672] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: max_body_length - type: integer - title: Max Body Length - description: |- - Truncate messages that are published and avoid huge messages being - indexed. - Default: 1000 - show_user: false - multi: false - required: false - - name: parse_headers - type: bool - title: Parse Headers - description: |- - Hide the header fields in header frames. - Default: false - show_user: false - multi: false - required: false - - name: parse_arguments - type: bool - title: Parse Arguments - description: |- - Hide the additional arguments of method frames. - Default: false - show_user: false - multi: false - required: false - - name: hide_connection_information - type: bool - title: Hide Connection Information - description: |- - Hide all methods relative to connection negotiation between server and - client. - Default: true - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: AMQP - description: Capture AMQP Traffic - template_path: amqp.yml.hbs diff --git a/packages/network_traffic/1.2.0/data_stream/amqp/sample_event.json b/packages/network_traffic/1.2.0/data_stream/amqp/sample_event.json deleted file mode 100755 index 9ef02f389f..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/amqp/sample_event.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:37:02.033Z", - "agent": { - "ephemeral_id": "ff9ccf25-9d67-46a5-b661-aa01e3db9b84", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "amqp": { - "auto-delete": false, - "consumer-count": 0, - "durable": false, - "exclusive": false, - "message-count": 0, - "no-wait": false, - "passive": false, - "queue": "hello" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "data_stream": { - "dataset": "network_traffic.amqp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "amqp.queue.declare", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.amqp", - "duration": 1325900, - "end": "2022-03-09T07:37:02.035Z", - "ingested": "2022-03-09T07:37:03Z", - "kind": "event", - "start": "2022-03-09T07:37:02.033Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "queue.declare", - "network": { - "bytes": 51, - "community_id": "1:i6J4zz0FGnZMYLIy8kabND2W/XE=", - "direction": "ingress", - "protocol": "amqp", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "status": "OK", - "type": "amqp" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/data_stream/cassandra/agent/stream/cassandra.yml.hbs b/packages/network_traffic/1.2.0/data_stream/cassandra/agent/stream/cassandra.yml.hbs deleted file mode 100755 index 112bc832e8..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/cassandra/agent/stream/cassandra.yml.hbs +++ /dev/null @@ -1,53 +0,0 @@ -type: cassandra -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_request_header}} -send_request_header: {{send_request_header}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if send_response_header}} -send_response_header: {{send_response_header}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if compressor}} -compressor: {{compressor}} -{{/if}} -{{#if ignored_ops}} -ignored_ops: -{{#each ignored_ops as |ignored_op|}} - - {{ignored_op}} -{{/each}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.2.0/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.2.0/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2860fd7f9e..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing cassandra traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.2.0/data_stream/cassandra/fields/agent.yml b/packages/network_traffic/1.2.0/data_stream/cassandra/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/cassandra/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.2.0/data_stream/cassandra/fields/base.yml b/packages/network_traffic/1.2.0/data_stream/cassandra/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/cassandra/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.2.0/data_stream/cassandra/fields/beats.yml b/packages/network_traffic/1.2.0/data_stream/cassandra/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/cassandra/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.2.0/data_stream/cassandra/fields/ecs.yml b/packages/network_traffic/1.2.0/data_stream/cassandra/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/cassandra/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.2.0/data_stream/cassandra/fields/protocol.yml b/packages/network_traffic/1.2.0/data_stream/cassandra/fields/protocol.yml deleted file mode 100755 index 58a2f6c12d..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/cassandra/fields/protocol.yml +++ /dev/null @@ -1,283 +0,0 @@ -- name: cassandra - type: group - description: Information about the Cassandra request and response. - fields: - - name: no_request - type: boolean - description: > - Indicates that there is no request because this is a PUSH message. - - - name: request - type: group - description: Cassandra request. - fields: - - name: headers - type: group - description: Cassandra request headers. - fields: - - name: version - type: keyword - description: The version of the protocol. - - name: flags - type: keyword - description: Flags applying to this frame. - - name: stream - type: keyword - description: A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. - - name: op - type: keyword - description: An operation type that distinguishes the actual message. - - name: length - type: long - description: A integer representing the length of the body of the frame (a frame is limited to 256MB in length). - - name: query - type: keyword - description: The CQL query which client send to cassandra. - - name: response - type: group - description: Cassandra response. - fields: - - name: headers - type: group - description: Cassandra response headers, the structure is as same as request's header. - fields: - - name: version - type: keyword - description: The version of the protocol. - - name: flags - type: keyword - description: Flags applying to this frame. - - name: stream - type: keyword - description: A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. - - name: op - type: keyword - description: An operation type that distinguishes the actual message. - - name: length - type: long - description: A integer representing the length of the body of the frame (a frame is limited to 256MB in length). - - name: result - type: group - description: Details about the returned result. - fields: - - name: type - type: keyword - description: Cassandra result type. - - name: rows - type: group - description: Details about the rows. - fields: - - name: num_rows - type: long - description: Representing the number of rows present in this result. - - name: meta - type: group - description: Composed of result metadata. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: keyspace - type: keyword - description: Indicating the name of the keyspace that has been set. - - name: schema_change - type: group - description: The result to a schema_change message. - fields: - - name: change - type: keyword - description: Representing the type of changed involved. - - name: keyspace - type: keyword - description: This describes which keyspace has changed. - - name: table - type: keyword - description: This describes which table has changed. - - name: object - type: keyword - description: This describes the name of said affected object (either the table, user type, function, or aggregate name). - - name: target - type: keyword - description: Target could be "FUNCTION" or "AGGREGATE", multiple arguments. - - name: name - type: keyword - description: The function/aggregate name. - - name: args - type: keyword - description: One string for each argument type (as CQL type). - - name: prepared - type: group - description: The result to a PREPARE message. - fields: - - name: prepared_id - type: keyword - description: Representing the prepared query ID. - - name: req_meta - type: group - description: This describes the request metadata. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: resp_meta - type: group - description: This describes the metadata for the result set. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: supported - type: flattened - description: Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message. - - name: authentication - type: group - description: Indicates that the server requires authentication, and which authentication mechanism to use. - fields: - - name: class - type: keyword - description: Indicates the full class name of the IAuthenticator in use - - name: warnings - type: keyword - description: The text of the warnings, only occur when Warning flag was set. - - name: event - type: group - description: Event pushed by the server. A client will only receive events for the types it has REGISTERed to. - fields: - - name: type - type: keyword - description: Representing the event type. - - name: change - type: keyword - description: The message corresponding respectively to the type of change followed by the address of the new/removed node. - - name: host - type: keyword - description: Representing the node ip. - - name: port - type: long - description: Representing the node port. - - name: schema_change - type: group - description: The events details related to schema change. - fields: - - name: change - type: keyword - description: Representing the type of changed involved. - - name: keyspace - type: keyword - description: This describes which keyspace has changed. - - name: table - type: keyword - description: This describes which table has changed. - - name: object - type: keyword - description: This describes the name of said affected object (either the table, user type, function, or aggregate name). - - name: target - type: keyword - description: Target could be "FUNCTION" or "AGGREGATE", multiple arguments. - - name: name - type: keyword - description: The function/aggregate name. - - name: args - type: keyword - description: One string for each argument type (as CQL type). - - name: error - type: group - description: Indicates an error processing a request. The body of the message will be an error code followed by a error message. Then, depending on the exception, more content may follow. - fields: - - name: code - type: long - description: The error code of the Cassandra response. - - name: msg - type: keyword - description: The error message of the Cassandra response. - - name: type - type: keyword - description: The error type of the Cassandra response. - - name: details - type: group - description: The details of the error. - fields: - - name: read_consistency - type: keyword - description: Representing the consistency level of the query that triggered the exception. - - name: required - type: long - description: Representing the number of nodes that should be alive to respect consistency level. - - name: alive - type: long - description: Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). - - name: received - type: long - description: Representing the number of nodes having acknowledged the request. - - name: blockfor - type: long - description: Representing the number of replicas whose acknowledgement is required to achieve consistency level. - - name: write_type - type: keyword - description: Describe the type of the write that timed out. - - name: data_present - type: boolean - description: It means the replica that was asked for data had responded. - - name: keyspace - type: keyword - description: The keyspace of the failed function. - - name: table - type: keyword - description: The keyspace of the failed function. - - name: stmt_id - type: keyword - description: Representing the unknown ID. - - name: num_failures - type: keyword - description: Representing the number of nodes that experience a failure while executing the request. - - name: function - type: keyword - description: The name of the failed function. - - name: arg_types - type: keyword - description: One string for each argument type (as CQL type) of the failed function. diff --git a/packages/network_traffic/1.2.0/data_stream/cassandra/manifest.yml b/packages/network_traffic/1.2.0/data_stream/cassandra/manifest.yml deleted file mode 100755 index 1af2f7ff38..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/cassandra/manifest.yml +++ /dev/null @@ -1,101 +0,0 @@ -title: Cassandra -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [9042] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`cassandra_request` field) - is included in published events. The default is true. - show_user: false - multi: false - required: false - - name: send_request_header - type: bool - title: Send Request Header - description: |- - If this option is enabled, the raw message of the response (`cassandra_request.request_headers` field) - is included in published events. The default is true. enable `send_request` first before enable this option. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`cassandra_response` field) - is included in published events. The default is true. - show_user: false - multi: false - required: false - - name: send_response_header - type: bool - title: Send Response Header - description: |- - If this option is enabled, the raw message of the response (`cassandra_response.response_headers` field) - is included in published events. The default is true. enable `send_response` first before enable this option. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: compressor - type: text - title: Compressor - description: |- - Configures the default compression algorithm being used to uncompress compressed frames by name. Currently only `snappy` is can be configured. - By default no compressor is configured. - show_user: false - multi: false - required: false - - name: ignored_ops - type: text - title: Ignored Ops - description: This option indicates which Operator/Operators will be ignored. - show_user: false - multi: true - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Cassandra - description: Capture Cassandra Traffic - template_path: cassandra.yml.hbs diff --git a/packages/network_traffic/1.2.0/data_stream/cassandra/sample_event.json b/packages/network_traffic/1.2.0/data_stream/cassandra/sample_event.json deleted file mode 100755 index aa2d587c11..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/cassandra/sample_event.json +++ /dev/null @@ -1,125 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:43:05.888Z", - "agent": { - "ephemeral_id": "20d6eb94-1319-473d-9e2f-05621a4d2494", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "cassandra": { - "request": { - "headers": { - "flags": "Default", - "length": 98, - "op": "QUERY", - "stream": 49, - "version": "4" - }, - "query": "CREATE TABLE users (\n user_id int PRIMARY KEY,\n fname text,\n lname text\n);" - }, - "response": { - "headers": { - "flags": "Default", - "length": 39, - "op": "RESULT", - "stream": 49, - "version": "4" - }, - "result": { - "schema_change": { - "change": "CREATED", - "keyspace": "mykeyspace", - "object": "users", - "target": "TABLE" - }, - "type": "schemaChanged" - } - } - }, - "client": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "data_stream": { - "dataset": "network_traffic.cassandra", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.cassandra", - "duration": 131589500, - "end": "2022-03-09T07:43:06.019Z", - "ingested": "2022-03-09T07:43:09Z", - "kind": "event", - "start": "2022-03-09T07:43:05.888Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 155, - "community_id": "1:bCORHZnGIk6GWYaE3Kn0DOpQCKE=", - "direction": "ingress", - "protocol": "cassandra", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "source": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "status": "OK", - "type": "cassandra" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs b/packages/network_traffic/1.2.0/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs deleted file mode 100755 index d29d14891c..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs +++ /dev/null @@ -1,32 +0,0 @@ -type: dhcpv4 -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.2.0/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.2.0/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a0f2d285e8..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -description: Pipeline for processing dhcpv4 traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: dhcpv4.client_mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: dhcpv4.client_mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: dhcpv4.client_mac - ignore_missing: true -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.2.0/data_stream/dhcpv4/fields/agent.yml b/packages/network_traffic/1.2.0/data_stream/dhcpv4/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/dhcpv4/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.2.0/data_stream/dhcpv4/fields/base.yml b/packages/network_traffic/1.2.0/data_stream/dhcpv4/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/dhcpv4/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.2.0/data_stream/dhcpv4/fields/beats.yml b/packages/network_traffic/1.2.0/data_stream/dhcpv4/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/dhcpv4/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.2.0/data_stream/dhcpv4/fields/ecs.yml b/packages/network_traffic/1.2.0/data_stream/dhcpv4/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/dhcpv4/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.2.0/data_stream/dhcpv4/fields/protocol.yml b/packages/network_traffic/1.2.0/data_stream/dhcpv4/fields/protocol.yml deleted file mode 100755 index 0180691a5b..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/dhcpv4/fields/protocol.yml +++ /dev/null @@ -1,177 +0,0 @@ -- name: dhcpv4 - type: group - fields: - - name: transaction_id - type: keyword - description: | - Transaction ID, a random number chosen by the - client, used by the client and server to associate - messages and responses between a client and a - server. - - name: seconds - type: long - description: | - Number of seconds elapsed since client began address acquisition or - renewal process. - - name: flags - type: keyword - description: | - Flags are set by the client to indicate how the DHCP server should - its reply -- either unicast or broadcast. - - name: client_ip - type: ip - description: The current IP address of the client. - - name: assigned_ip - type: ip - description: | - The IP address that the DHCP server is assigning to the client. - This field is also known as "your" IP address. - - name: server_ip - type: ip - description: | - The IP address of the DHCP server that the client should use for the - next step in the bootstrap process. - - name: relay_ip - type: ip - description: | - The relay IP address used by the client to contact the server - (i.e. a DHCP relay server). - - name: client_mac - type: keyword - description: The client's MAC address (layer two). - - name: server_name - type: keyword - description: | - The name of the server sending the message. Optional. Used in - DHCPOFFER or DHCPACK messages. - - name: op_code - type: keyword - example: bootreply - description: | - The message op code (bootrequest or bootreply). - - name: hops - type: long - description: The number of hops the DHCP message went through. - - name: hardware_type - type: keyword - description: | - The type of hardware used for the local network (Ethernet, - LocalTalk, etc). - - name: option - type: group - fields: - - name: message_type - type: keyword - example: ack - description: | - The specific type of DHCP message being sent (e.g. discover, - offer, request, decline, ack, nak, release, inform). - - name: parameter_request_list - type: keyword - description: | - This option is used by a DHCP client to request values for - specified configuration parameters. - - name: requested_ip_address - type: ip - description: | - This option is used in a client request (DHCPDISCOVER) to allow - the client to request that a particular IP address be assigned. - - name: server_identifier - type: ip - description: | - IP address of the individual DHCP server which handled this - message. - - name: broadcast_address - type: ip - description: | - This option specifies the broadcast address in use on the - client's subnet. - - name: max_dhcp_message_size - type: long - description: | - This option specifies the maximum length DHCP message that the - client is willing to accept. - - name: class_identifier - type: keyword - description: | - This option is used by DHCP clients to optionally identify the - vendor type and configuration of a DHCP client. Vendors may - choose to define specific vendor class identifiers to convey - particular configuration or other identification information - about a client. For example, the identifier may encode the - client's hardware configuration. - - name: domain_name - type: keyword - description: | - This option specifies the domain name that client should use - when resolving hostnames via the Domain Name System. - - name: dns_servers - type: ip - description: | - The domain name server option specifies a list of Domain Name - System servers available to the client. - - name: vendor_identifying_options - type: object - description: | - A DHCP client may use this option to unambiguously identify the - vendor that manufactured the hardware on which the client is - running, the software in use, or an industry consortium to which - the vendor belongs. This field is described in RFC 3925. - - name: subnet_mask - type: ip - description: | - The subnet mask that the client should use on the currnet - network. - - name: utc_time_offset_sec - type: long - description: | - The time offset field specifies the offset of the client's - subnet in seconds from Coordinated Universal Time (UTC). - - name: router - type: ip - description: | - The router option specifies a list of IP addresses for routers - on the client's subnet. - - name: time_servers - type: ip - description: | - The time server option specifies a list of RFC 868 time servers - available to the client. - - name: ntp_servers - type: ip - description: | - This option specifies a list of IP addresses indicating NTP - servers available to the client. - - name: hostname - type: keyword - description: | - This option specifies the name of the client. - - name: ip_address_lease_time_sec - type: long - description: | - This option is used in a client request (DHCPDISCOVER or - DHCPREQUEST) to allow the client to request a lease time for the - IP address. In a server reply (DHCPOFFER), a DHCP server uses - this option to specify the lease time it is willing to offer. - - name: message - type: text - description: | - This option is used by a DHCP server to provide an error message - to a DHCP client in a DHCPNAK message in the event of a failure. - A client may use this option in a DHCPDECLINE message to - indicate the why the client declined the offered parameters. - - name: renewal_time_sec - type: long - description: | - This option specifies the time interval from address assignment - until the client transitions to the RENEWING state. - - name: rebinding_time_sec - type: long - description: | - This option specifies the time interval from address assignment - until the client transitions to the REBINDING state. - - name: boot_file_name - type: keyword - description: | - This option is used to identify a bootfile when the 'file' field - in the DHCP header has been used for DHCP options. diff --git a/packages/network_traffic/1.2.0/data_stream/dhcpv4/manifest.yml b/packages/network_traffic/1.2.0/data_stream/dhcpv4/manifest.yml deleted file mode 100755 index 164d86ca2f..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/dhcpv4/manifest.yml +++ /dev/null @@ -1,49 +0,0 @@ -title: DHCP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [67, 68] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: DHCP - description: Capture DHCP Traffic - template_path: dhcpv4.yml.hbs diff --git a/packages/network_traffic/1.2.0/data_stream/dhcpv4/sample_event.json b/packages/network_traffic/1.2.0/data_stream/dhcpv4/sample_event.json deleted file mode 100755 index 59ab870695..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/dhcpv4/sample_event.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:43:52.712Z", - "agent": { - "ephemeral_id": "b98a43ba-d050-42e6-ab2f-2eba352e9cb0", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "data_stream": { - "dataset": "network_traffic.dhcpv4", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "255.255.255.255", - "port": 67 - }, - "dhcpv4": { - "client_mac": "00-0B-82-01-FC-42", - "flags": "unicast", - "hardware_type": "Ethernet", - "hops": 0, - "op_code": "bootrequest", - "option": { - "message_type": "discover", - "parameter_request_list": [ - "Subnet Mask", - "Router", - "Domain Name Server", - "NTP Servers" - ], - "requested_ip_address": "0.0.0.0" - }, - "seconds": 0, - "transaction_id": "0x00003d1d" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dhcpv4", - "ingested": "2022-03-09T07:43:53Z", - "kind": "event", - "start": "2022-03-09T07:43:52.712Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 272, - "community_id": "1:t9O1j0qj71O4wJM7gnaHtgmfev8=", - "direction": "unknown", - "protocol": "dhcpv4", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "0.0.0.0", - "255.255.255.255" - ] - }, - "server": { - "ip": "255.255.255.255", - "port": 67 - }, - "source": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "status": "OK", - "type": "dhcpv4" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/data_stream/dns/agent/stream/dns.yml.hbs b/packages/network_traffic/1.2.0/data_stream/dns/agent/stream/dns.yml.hbs deleted file mode 100755 index 1c81667ce1..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/dns/agent/stream/dns.yml.hbs +++ /dev/null @@ -1,47 +0,0 @@ -type: dns -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if include_authorities}} -include_authorities: {{include_authorities}} -{{/if}} -{{#if include_additionals}} -include_additionals: {{include_additionals}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.2.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.2.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 70d49c51b6..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing dhcpv4 traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.2.0/data_stream/dns/fields/agent.yml b/packages/network_traffic/1.2.0/data_stream/dns/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.2.0/data_stream/dns/fields/base.yml b/packages/network_traffic/1.2.0/data_stream/dns/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/dns/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.2.0/data_stream/dns/fields/beats.yml b/packages/network_traffic/1.2.0/data_stream/dns/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/dns/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.2.0/data_stream/dns/fields/ecs.yml b/packages/network_traffic/1.2.0/data_stream/dns/fields/ecs.yml deleted file mode 100755 index e2ea6f338f..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,200 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - Array of 2 letter DNS header flags. - Expected values are: AA, TC, RD, RA, AD, CD, DO. - name: dns.header_flags - type: keyword -- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - name: dns.id - type: keyword -- description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - name: dns.op_code - type: keyword -- description: The class of records being queried. - name: dns.question.class - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.2.0/data_stream/dns/fields/protocol.yml b/packages/network_traffic/1.2.0/data_stream/dns/fields/protocol.yml deleted file mode 100755 index 28d506b996..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/dns/fields/protocol.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: dns - type: group - fields: - - name: flags.authoritative - type: boolean - description: > - A DNS flag specifying that the responding server is an authority for the domain name used in the question. - - - name: flags.recursion_available - type: boolean - description: > - A DNS flag specifying whether recursive query support is available in the name server. - - - name: flags.recursion_desired - type: boolean - description: > - A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional. - - - name: flags.authentic_data - type: boolean - description: > - A DNS flag specifying that the recursive server considers the response authentic. - - - name: flags.checking_disabled - type: boolean - description: > - A DNS flag specifying that the client disables the server signature validation of the query. - - - name: flags.truncated_response - type: boolean - description: > - A DNS flag specifying that only the first 512 bytes of the reply were returned. - - - name: question.etld_plus_one - type: keyword - description: The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. - example: amazon.co.uk. - - name: answers_count - type: long - description: > - The number of resource records contained in the `dns.answers` field. - - - name: authorities - type: object - description: > - An array containing a dictionary for each authority section from the answer. - - - name: authorities_count - type: long - description: > - The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat. - - - name: authorities.name - type: keyword - description: The domain name to which this resource record pertains. - example: example.com. - - name: authorities.type - type: keyword - description: The type of data contained in this resource record. - example: NS - - name: authorities.class - type: keyword - description: The class of DNS data contained in this resource record. - example: IN - - name: additionals - type: object - description: > - An array containing a dictionary for each additional section from the answer. - - - name: additionals_count - type: long - description: > - The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat. - - - name: additionals.name - type: keyword - description: The domain name to which this resource record pertains. - example: example.com. - - name: additionals.type - type: keyword - description: The type of data contained in this resource record. - example: NS - - name: additionals.class - type: keyword - description: The class of DNS data contained in this resource record. - example: IN - - name: additionals.ttl - description: > - The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - - type: long - - name: additionals.data - type: keyword - description: > - The data describing the resource. The meaning of this data depends on the type and class of the resource record. - - - name: opt.version - type: keyword - description: The EDNS version. - example: "0" - - name: opt.do - type: boolean - description: If set, the transaction uses DNSSEC. - - name: opt.ext_rcode - type: keyword - description: Extended response code field. - example: "BADVERS" - - name: opt.udp_size - type: long - description: Requestor's UDP payload size (in bytes). diff --git a/packages/network_traffic/1.2.0/data_stream/dns/manifest.yml b/packages/network_traffic/1.2.0/data_stream/dns/manifest.yml deleted file mode 100755 index 4cbea720eb..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/dns/manifest.yml +++ /dev/null @@ -1,104 +0,0 @@ -title: DNS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [53] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: include_authorities - type: bool - title: Include Authorities - description: |- - include_authorities controls whether or not the dns.authorities field - (authority resource records) is added to messages. - Default: false - show_user: false - multi: false - required: false - - name: include_additionals - type: bool - title: Include Additionals - description: |- - include_additionals controls whether or not the dns.additionals field - (additional resource records) is added to messages. - Default: false - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - send_request controls whether or not the stringified DNS - request messages are added to the result. - Nearly all data about the request/response is available in the dns.* - fields, but this can be useful if you need visibility specifically - into the request or the response. - Default: false - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - send_response controls whether or not the stringified DNS - response messages are added to the result. - Nearly all data about the request/response is available in the dns.* - fields, but this can be useful if you need visibility specifically - into the request or the response. - Default: false - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: DNS - description: Capture DNS Traffic - template_path: dns.yml.hbs diff --git a/packages/network_traffic/1.2.0/data_stream/dns/sample_event.json b/packages/network_traffic/1.2.0/data_stream/dns/sample_event.json deleted file mode 100755 index 476a880555..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/dns/sample_event.json +++ /dev/null @@ -1,158 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:48:42.751Z", - "agent": { - "ephemeral_id": "1d099984-2551-49e1-9e6a-c1dff964be0f", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "data_stream": { - "dataset": "network_traffic.dns", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "dns": { - "additionals_count": 0, - "answers": [ - { - "class": "IN", - "data": "ns-1183.awsdns-19.org", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-2007.awsdns-58.co.uk", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-66.awsdns-08.com", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-835.awsdns-40.net", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - } - ], - "answers_count": 4, - "authorities_count": 0, - "flags": { - "authentic_data": false, - "authoritative": false, - "checking_disabled": false, - "recursion_available": true, - "recursion_desired": true, - "truncated_response": false - }, - "header_flags": [ - "RD", - "RA" - ], - "id": 26187, - "op_code": "QUERY", - "question": { - "class": "IN", - "etld_plus_one": "elastic.co", - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "NS" - }, - "response_code": "NOERROR", - "type": "answer" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dns", - "duration": 68515700, - "end": "2022-03-09T07:48:42.819Z", - "ingested": "2022-03-09T07:48:43Z", - "kind": "event", - "start": "2022-03-09T07:48:42.751Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "QUERY", - "network": { - "bytes": 195, - "community_id": "1:3P4ruI0bVlqxiTAs0WyBhnF74ek=", - "direction": "unknown", - "protocol": "dns", - "transport": "udp", - "type": "ipv4" - }, - "query": "class IN, type NS, elastic.co", - "related": { - "ip": [ - "192.168.238.68", - "8.8.8.8" - ] - }, - "resource": "elastic.co", - "server": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "source": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "status": "OK", - "type": "dns" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/data_stream/flow/agent/stream/flow.yml.hbs b/packages/network_traffic/1.2.0/data_stream/flow/agent/stream/flow.yml.hbs deleted file mode 100755 index 8089322070..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/flow/agent/stream/flow.yml.hbs +++ /dev/null @@ -1,19 +0,0 @@ -type: flow -{{#if timeout}} -flows.timeout: '{{timeout}}' -{{/if}} -{{#if period}} -flows.period: '{{period}}' -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.2.0/data_stream/flow/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.2.0/data_stream/flow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8a45c554fd..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/flow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing traffic flows -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.2.0/data_stream/flow/fields/agent.yml b/packages/network_traffic/1.2.0/data_stream/flow/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/flow/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.2.0/data_stream/flow/fields/base.yml b/packages/network_traffic/1.2.0/data_stream/flow/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/flow/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.2.0/data_stream/flow/fields/beats.yml b/packages/network_traffic/1.2.0/data_stream/flow/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/flow/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.2.0/data_stream/flow/fields/ecs.yml b/packages/network_traffic/1.2.0/data_stream/flow/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/flow/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.2.0/data_stream/flow/manifest.yml b/packages/network_traffic/1.2.0/data_stream/flow/manifest.yml deleted file mode 100755 index 88301fa55b..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/flow/manifest.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: Flows -release: beta -type: logs -streams: - - input: packet - title: Flows - description: Track Network Flows - template_path: flow.yml.hbs - vars: - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: period - type: text - title: Period - required: false - show_user: false - description: Configure the reporting interval. All flows are reported at the very same point in time. Periodical reporting can be disabled by setting the value to -1. If disabled, flows are still reported once being timed out. - default: '10s' - - name: timeout - type: text - title: Flow timeout - description: Timeout configures the lifetime of a flow. If no packets have been received for a flow within the timeout time window, the flow is killed and reported. - required: false - show_user: false - default: '30s' diff --git a/packages/network_traffic/1.2.0/data_stream/http/agent/stream/http.yml.hbs b/packages/network_traffic/1.2.0/data_stream/http/agent/stream/http.yml.hbs deleted file mode 100755 index a9fc16e488..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/http/agent/stream/http.yml.hbs +++ /dev/null @@ -1,89 +0,0 @@ -type: http -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if hide_keywords}} -hide_keywords: -{{#each hide_keywords as |hide_keyword|}} - - {{hide_keyword}} -{{/each}} -{{/if}} -{{#if send_headers}} -send_headers: {{send_headers}} -{{/if}} -{{#if send_all_headers}} -send_all_headers: {{send_all_headers}} -{{/if}} -{{#if redact_headers}} -redact_headers: -{{#each redact_headers as |redact_header|}} - - {{redact_header}} -{{/each}} -{{/if}} -{{#if include_body_for}} -include_body_for: -{{#each include_body_for as |include_body_for_elem|}} - - {{include_body_for_elem}} -{{/each}} -{{/if}} -{{#if include_request_body_for}} -include_request_body_for: -{{#each include_request_body_for as |include_request_body_for_elem|}} - - {{include_request_body_for_elem}} -{{/each}} -{{/if}} -{{#if include_response_body_for}} -include_response_body_for: -{{#each include_response_body_for as |include_response_body_for_elem|}} - - {{include_response_body_for_elem}} -{{/each}} -{{/if}} -{{#if decode_body}} -decode_body: {{decode_body}} -{{/if}} -{{#if split_cookie}} -split_cookie: {{split_cookie}} -{{/if}} -{{#if real_ip_header}} -real_ip_header: {{real_ip_header}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if max_message_size}} -max_message_size: {{max_message_size}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.2.0/data_stream/http/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.2.0/data_stream/http/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index e0cbf2bf88..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/http/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing http traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.2.0/data_stream/http/fields/agent.yml b/packages/network_traffic/1.2.0/data_stream/http/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/http/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.2.0/data_stream/http/fields/base.yml b/packages/network_traffic/1.2.0/data_stream/http/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/http/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.2.0/data_stream/http/fields/beats.yml b/packages/network_traffic/1.2.0/data_stream/http/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/http/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.2.0/data_stream/http/fields/ecs.yml b/packages/network_traffic/1.2.0/data_stream/http/fields/ecs.yml deleted file mode 100755 index d003c7093e..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/http/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Size in bytes of the request body. - name: http.request.body.bytes - type: long -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/network_traffic/1.2.0/data_stream/http/fields/protocol.yml b/packages/network_traffic/1.2.0/data_stream/http/fields/protocol.yml deleted file mode 100755 index 51b73ae344..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/http/fields/protocol.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: http - type: group - description: Information about the HTTP request and response. - fields: - - name: request - description: HTTP request - type: group - fields: - - name: headers - type: flattened - description: > - A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. - - - name: response - description: HTTP response - type: group - fields: - - name: status_phrase - type: keyword - description: The HTTP status phrase. - example: Not Found - - name: headers - type: flattened - description: > - A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. - diff --git a/packages/network_traffic/1.2.0/data_stream/http/manifest.yml b/packages/network_traffic/1.2.0/data_stream/http/manifest.yml deleted file mode 100755 index e7f68c99df..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/http/manifest.yml +++ /dev/null @@ -1,182 +0,0 @@ -title: HTTP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [80, 8080, 8000, 5000, 8002] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: hide_keywords - type: text - title: Hide Keywords - description: |- - Uncomment the following to hide certain parameters in URL or forms attached - to HTTP requests. The names of the parameters are case insensitive. - The value of the parameters will be replaced with the 'xxxxx' string. - This is generally useful for avoiding storing user passwords or other - sensitive information. - Only query parameters and top level form parameters are replaced. - show_user: false - multi: true - required: false - - name: send_headers - type: bool - title: Send Headers - description: |- - A list of header names to capture and send to Elasticsearch. These headers - are placed under the `headers` dictionary in the resulting JSON. - show_user: false - multi: false - required: false - - name: send_all_headers - type: bool - title: Send All Headers - description: |- - Instead of sending a white list of headers to Elasticsearch, you can send - all headers by setting this option to true. The default is false. - show_user: false - multi: false - required: false - - name: redact_headers - type: text - title: Redact Headers - description: |- - A list of headers to redact if present in the HTTP request. This will keep - the header field present, but will redact it's value to show the headers - presence. - show_user: false - multi: true - required: false - - name: include_body_for - type: text - title: Include Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - payload. If the request's or response's Content-Type matches any on this - list, the full body will be included under the request or response field. - show_user: false - multi: true - required: false - - name: include_request_body_for - type: text - title: Include Request Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - request payload. - show_user: false - multi: true - required: false - - name: include_response_body_for - type: text - title: Include Response Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - response payload. - show_user: false - multi: true - required: false - - name: decode_body - type: bool - title: Decode Body - description: |- - Whether the body of a request must be decoded when a content-encoding - or transfer-encoding has been applied. - show_user: false - multi: false - required: false - - name: split_cookie - type: bool - title: Split Cookie - description: |- - If the Cookie or Set-Cookie headers are sent, this option controls whether - they are split into individual values. - show_user: false - multi: false - required: false - - name: real_ip_header - type: bool - title: Real Ip Header - description: |- - The header field to extract the real IP from. This setting is useful when - you want to capture traffic behind a reverse proxy, but you want to get the - geo-location information. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: max_message_size - type: integer - title: Max Message Size - description: |- - Maximum message size. If an HTTP message is larger than this, it will - be trimmed to this size. Default is 10 MB. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: HTTP - description: Capture HTTP Traffic - template_path: http.yml.hbs diff --git a/packages/network_traffic/1.2.0/data_stream/http/sample_event.json b/packages/network_traffic/1.2.0/data_stream/http/sample_event.json deleted file mode 100755 index f07301394b..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/http/sample_event.json +++ /dev/null @@ -1,139 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:54:42.031Z", - "agent": { - "ephemeral_id": "822947c0-15fd-4278-ba0d-2cc64d687bb2", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "data_stream": { - "dataset": "network_traffic.http", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.http", - "duration": 141490400, - "end": "2022-03-09T07:54:42.172Z", - "ingested": "2022-03-09T07:54:43Z", - "kind": "event", - "start": "2022-03-09T07:54:42.031Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "http": { - "request": { - "body": { - "bytes": 55 - }, - "bytes": 211, - "headers": { - "content-length": 55, - "content-type": "application/x-www-form-urlencoded" - }, - "method": "POST" - }, - "response": { - "body": { - "bytes": 8936 - }, - "bytes": 9108, - "headers": { - "content-length": 8936, - "content-type": "text/html; charset=utf-8" - }, - "status_code": 404, - "status_phrase": "not found" - }, - "version": "1.1" - }, - "method": "POST", - "network": { - "bytes": 9319, - "community_id": "1:LREAuuDqOAxXEbzF064U0QX5FBs=", - "direction": "unknown", - "protocol": "http", - "transport": "tcp", - "type": "ipv4" - }, - "query": "POST /register", - "related": { - "hosts": [ - "packetbeat.com" - ], - "ip": [ - "192.168.238.50", - "107.170.1.22" - ] - }, - "server": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "source": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "status": "Error", - "type": "http", - "url": { - "domain": "packetbeat.com", - "full": "http://packetbeat.com/register?address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "path": "/register", - "query": "address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "scheme": "http" - }, - "user_agent": { - "original": "curl/7.37.1" - } -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/data_stream/icmp/agent/stream/icmp.yml.hbs b/packages/network_traffic/1.2.0/data_stream/icmp/agent/stream/icmp.yml.hbs deleted file mode 100755 index 2c27e9ec06..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/icmp/agent/stream/icmp.yml.hbs +++ /dev/null @@ -1,26 +0,0 @@ -type: icmp -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.2.0/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.2.0/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 1ae74a0692..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing icmp traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.2.0/data_stream/icmp/fields/agent.yml b/packages/network_traffic/1.2.0/data_stream/icmp/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/icmp/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.2.0/data_stream/icmp/fields/base.yml b/packages/network_traffic/1.2.0/data_stream/icmp/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/icmp/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.2.0/data_stream/icmp/fields/beats.yml b/packages/network_traffic/1.2.0/data_stream/icmp/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/icmp/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.2.0/data_stream/icmp/fields/ecs.yml b/packages/network_traffic/1.2.0/data_stream/icmp/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/icmp/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.2.0/data_stream/icmp/fields/protocol.yml b/packages/network_traffic/1.2.0/data_stream/icmp/fields/protocol.yml deleted file mode 100755 index 5aef1deaf4..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/icmp/fields/protocol.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: icmp - type: group - fields: - - name: version - type: long - description: The version of the ICMP protocol. - possible_values: - - 4 - - 6 - - name: request.message - type: keyword - description: A human readable form of the request. - - name: request.type - type: long - description: The request type. - - name: request.code - type: long - description: The request code. - - name: response.message - type: keyword - description: A human readable form of the response. - - name: response.type - type: long - description: The response type. - - name: response.code - type: long - description: The response code. diff --git a/packages/network_traffic/1.2.0/data_stream/icmp/manifest.yml b/packages/network_traffic/1.2.0/data_stream/icmp/manifest.yml deleted file mode 100755 index 65389d2e13..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/icmp/manifest.yml +++ /dev/null @@ -1,39 +0,0 @@ -title: ICMP -release: beta -type: logs -streams: - - input: packet - title: ICMP - description: Capture ICMP Traffic - template_path: icmp.yml.hbs - vars: - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false diff --git a/packages/network_traffic/1.2.0/data_stream/icmp/sample_event.json b/packages/network_traffic/1.2.0/data_stream/icmp/sample_event.json deleted file mode 100755 index 6dfd5d97d4..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/icmp/sample_event.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:57:32.766Z", - "agent": { - "ephemeral_id": "34e079a4-8dee-40db-a820-2296c225fbbe", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 4, - "ip": "::1" - }, - "data_stream": { - "dataset": "network_traffic.icmp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 4, - "ip": "::2" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.icmp", - "duration": 13336600, - "end": "2022-03-09T07:57:32.779Z", - "ingested": "2022-03-09T07:57:36Z", - "kind": "event", - "start": "2022-03-09T07:57:32.766Z", - "type": [ - "connection" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "icmp": { - "request": { - "code": 0, - "message": "EchoRequest", - "type": 128 - }, - "response": { - "code": 0, - "message": "EchoReply", - "type": 129 - }, - "version": 6 - }, - "network": { - "bytes": 8, - "community_id": "1:9UpHcZHFAOl8WqZVOs5YRQ5wDGE=", - "direction": "egress", - "transport": "ipv6-icmp", - "type": "ipv6" - }, - "path": "::2", - "related": { - "ip": [ - "::1", - "::2" - ] - }, - "server": { - "bytes": 4, - "ip": "::2" - }, - "source": { - "bytes": 4, - "ip": "::1" - }, - "status": "OK", - "type": "icmp" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/data_stream/memcached/agent/stream/memcached.yml.hbs b/packages/network_traffic/1.2.0/data_stream/memcached/agent/stream/memcached.yml.hbs deleted file mode 100755 index fb53ef747c..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/memcached/agent/stream/memcached.yml.hbs +++ /dev/null @@ -1,53 +0,0 @@ -type: memcache -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if parseunknown}} -parseunknown: {{parseunknown}} -{{/if}} -{{#if maxvalues}} -maxvalues: {{maxvalues}} -{{/if}} -{{#if maxbytespervalue}} -maxbytespervalue: {{maxbytespervalue}} -{{/if}} -{{#if udptransactiontimeout}} -udptransactiontimeout: {{udptransactiontimeout}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.2.0/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.2.0/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 79d3c2cf54..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing memcached traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.2.0/data_stream/memcached/fields/agent.yml b/packages/network_traffic/1.2.0/data_stream/memcached/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/memcached/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.2.0/data_stream/memcached/fields/base.yml b/packages/network_traffic/1.2.0/data_stream/memcached/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/memcached/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.2.0/data_stream/memcached/fields/beats.yml b/packages/network_traffic/1.2.0/data_stream/memcached/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/memcached/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.2.0/data_stream/memcached/fields/ecs.yml b/packages/network_traffic/1.2.0/data_stream/memcached/fields/ecs.yml deleted file mode 100755 index 7638afce57..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/memcached/fields/ecs.yml +++ /dev/null @@ -1,136 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.2.0/data_stream/memcached/fields/protocol.yml b/packages/network_traffic/1.2.0/data_stream/memcached/fields/protocol.yml deleted file mode 100755 index 4d1c281dde..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/memcached/fields/protocol.yml +++ /dev/null @@ -1,215 +0,0 @@ -- name: memcache - type: group - fields: - - name: protocol_type - type: keyword - description: > - The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. - - - name: request.line - type: keyword - description: > - The raw command line for unknown commands ONLY. - - - name: request.command - type: keyword - description: > - The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. - - - name: response.command - type: keyword - description: > - Either the text based protocol response message type or the name of the originating request if binary protocol is used. - - - name: request.type - type: keyword - description: > - The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". - - - name: response.type - type: keyword - description: > - The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). - - - name: response.error_msg - type: keyword - description: > - The optional error message in the memcache response (text based protocol only). - - - name: request.opcode - type: keyword - description: > - The binary protocol message opcode name. - - - name: response.opcode - type: keyword - description: > - The binary protocol message opcode name. - - - name: request.opcode_value - type: long - description: > - The binary protocol message opcode value. - - - name: response.opcode_value - type: long - description: > - The binary protocol message opcode value. - - - name: request.opaque - type: long - description: > - The binary protocol opaque header value used for correlating request with response messages. - - - name: response.opaque - type: long - description: > - The binary protocol opaque header value used for correlating request with response messages. - - - name: request.vbucket - type: long - description: > - The vbucket index sent in the binary message. - - - name: response.status - type: keyword - description: > - The textual representation of the response error code (binary protocol only). - - - name: response.status_code - type: long - description: > - The status code value returned in the response (binary protocol only). - - - name: request.keys - type: array - description: > - The list of keys sent in the store or load commands. - - - name: response.keys - type: array - description: > - The list of keys returned for the load command (if present). - - - name: request.count_values - type: long - description: > - The number of values found in the memcache request message. If the command does not send any data, this field is missing. - - - name: response.count_values - type: long - description: > - The number of values found in the memcache response message. If the command does not send any data, this field is missing. - - - name: request.values - type: array - description: > - The list of base64 encoded values sent with the request (if present). - - - name: response.values - type: array - description: > - The list of base64 encoded values sent with the response (if present). - - - name: request.bytes - type: long - format: bytes - description: > - The byte count of the values being transferred. - - - name: response.bytes - type: long - format: bytes - description: > - The byte count of the values being transferred. - - - name: request.delta - type: long - description: > - The counter increment/decrement delta value. - - - name: request.initial - type: long - description: > - The counter increment/decrement initial value parameter (binary protocol only). - - - name: request.verbosity - type: long - description: > - The value of the memcache "verbosity" command. - - - name: request.raw_args - type: keyword - description: > - The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. - - - name: request.source_class - type: long - description: > - The source class id in 'slab reassign' command. - - - name: request.dest_class - type: long - description: > - The destination class id in 'slab reassign' command. - - - name: request.automove - type: keyword - description: > - The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. - - - name: request.flags - type: long - description: > - The memcache command flags sent in the request (if present). - - - name: response.flags - type: long - description: > - The memcache message flags sent in the response (if present). - - - name: request.exptime - type: long - description: > - The data expiry time in seconds sent with the memcache command (if present). If the value is `< 30` days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). - - - name: request.sleep_us - type: long - description: > - The sleep setting in microseconds for the 'lru_crawler sleep' command. - - - name: response.value - type: long - description: > - The counter value returned by a counter operation. - - - name: request.noreply - type: boolean - description: > - Set to true if noreply was set in the request. The `memcache.response` field will be missing. - - - name: request.quiet - type: boolean - description: > - Set to true if the binary protocol message is to be treated as a quiet message. - - - name: request.cas_unique - type: long - description: > - The CAS (compare-and-swap) identifier if present. - - - name: response.cas_unique - type: long - description: > - The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). - - - name: response.stats - type: array - description: > - The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". - - - name: response.version - type: keyword - description: > - The returned memcache version string. - diff --git a/packages/network_traffic/1.2.0/data_stream/memcached/manifest.yml b/packages/network_traffic/1.2.0/data_stream/memcached/manifest.yml deleted file mode 100755 index a40b7e1c77..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/memcached/manifest.yml +++ /dev/null @@ -1,125 +0,0 @@ -title: Memcached -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [11211] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: parseunknown - type: bool - title: Parseunknown - description: |- - Uncomment the parseunknown option to force the memcache text protocol parser - to accept unknown commands. - Note: All unknown commands MUST not contain any data parts! - Default: false - show_user: false - multi: false - required: false - - name: maxvalues - type: integer - title: Maxvalues - description: |- - Update the maxvalue option to store the values - base64 encoded - in the - json output. - possible values: - maxvalue: -1 store all values (text based protocol multi-get) - maxvalue: 0 store no values at all - maxvalue: N store up to N values - Default: 0 - show_user: false - multi: false - required: false - - name: maxbytespervalue - type: integer - title: Maxbytespervalue - description: |- - Use maxbytespervalue to limit the number of bytes to be copied per value element. - Note: Values will be base64 encoded, so actual size in json document - will be 4 times maxbytespervalue. - Default: unlimited - show_user: false - multi: false - required: false - - name: udptransactiontimeout - type: integer - title: Udptransactiontimeout - description: |- - UDP transaction timeout in milliseconds. - Note: Quiet messages in UDP binary protocol will get response only in error case. - The memcached analyzer will wait for udptransactiontimeout milliseconds - before publishing quiet messages. Non quiet messages or quiet requests with - error response will not have to wait for the timeout. - Default: 200 - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Memcached - description: Capture Memcached Traffic - template_path: memcached.yml.hbs diff --git a/packages/network_traffic/1.2.0/data_stream/memcached/sample_event.json b/packages/network_traffic/1.2.0/data_stream/memcached/sample_event.json deleted file mode 100755 index 4b4dc284f8..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/memcached/sample_event.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:09:26.564Z", - "agent": { - "ephemeral_id": "53c3aab1-4c1d-4f33-87a9-1d1d4ce75205", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.188.37", - "port": 65195 - }, - "data_stream": { - "dataset": "network_traffic.memcached", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.memcached", - "ingested": "2022-03-09T08:09:37Z", - "kind": "event", - "start": "2022-03-09T08:09:26.564Z", - "type": [ - "connection", - "protocol" - ] - }, - "event.action": "memcache.store", - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "memcache": { - "protocol_type": "binary", - "request": { - "bytes": 1024, - "command": "set", - "count_values": 1, - "exptime": 0, - "flags": 0, - "keys": [ - "test_key" - ], - "opaque": 65536, - "opcode": "SetQ", - "opcode_value": 17, - "quiet": true, - "type": "Store", - "vbucket": 0 - } - }, - "network": { - "bytes": 1064, - "community_id": "1:QMbWqXK5vGDDbp48SEFuFe8Z1lQ=", - "direction": "unknown", - "protocol": "memcache", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.188.37", - "192.168.188.38" - ] - }, - "server": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "source": { - "ip": "192.168.188.37", - "port": 65195 - }, - "status": "OK", - "type": "memcache" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/data_stream/mongodb/agent/stream/mongodb.yml.hbs b/packages/network_traffic/1.2.0/data_stream/mongodb/agent/stream/mongodb.yml.hbs deleted file mode 100755 index c640e07523..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/mongodb/agent/stream/mongodb.yml.hbs +++ /dev/null @@ -1,47 +0,0 @@ -type: mongodb -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if max_docs}} -max_docs: {{max_docs}} -{{/if}} -{{#if max_doc_length}} -max_doc_length: {{max_doc_length}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.2.0/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.2.0/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 53b9f4a0df..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing mongodb traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.2.0/data_stream/mongodb/fields/agent.yml b/packages/network_traffic/1.2.0/data_stream/mongodb/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/mongodb/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.2.0/data_stream/mongodb/fields/base.yml b/packages/network_traffic/1.2.0/data_stream/mongodb/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/mongodb/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.2.0/data_stream/mongodb/fields/beats.yml b/packages/network_traffic/1.2.0/data_stream/mongodb/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/mongodb/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.2.0/data_stream/mongodb/fields/ecs.yml b/packages/network_traffic/1.2.0/data_stream/mongodb/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/mongodb/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.2.0/data_stream/mongodb/fields/protocol.yml b/packages/network_traffic/1.2.0/data_stream/mongodb/fields/protocol.yml deleted file mode 100755 index a84465c61e..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/mongodb/fields/protocol.yml +++ /dev/null @@ -1,58 +0,0 @@ -- name: mongodb - type: group - fields: - - name: error - type: keyword - description: > - If the MongoDB request has resulted in an error, this field contains the error message returned by the server. - - - name: fullCollectionName - type: keyword - description: > - The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. - - - name: numberToSkip - type: long - description: > - Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. - - - name: numberToReturn - type: long - description: > - The requested maximum number of documents to be returned. - - - name: numberReturned - type: long - description: > - The number of documents in the reply. - - - name: startingFrom - type: keyword - description: > - Where in the cursor this reply is starting. - - - name: query - type: keyword - description: > - A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. - - - name: returnFieldsSelector - type: keyword - description: > - A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. - - - name: selector - type: keyword - description: > - A BSON document that specifies the query for selecting the document to update or delete. - - - name: update - type: keyword - description: > - A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. - - - name: cursorId - type: keyword - description: > - The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. - diff --git a/packages/network_traffic/1.2.0/data_stream/mongodb/manifest.yml b/packages/network_traffic/1.2.0/data_stream/mongodb/manifest.yml deleted file mode 100755 index 67dbb005f5..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/mongodb/manifest.yml +++ /dev/null @@ -1,95 +0,0 @@ -title: MongoDB -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [27017] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: max_docs - type: integer - title: Max Docs - description: |- - The maximum number of documents from the response to index in the `response` - field. The default is 10. - show_user: false - multi: false - required: false - - name: max_doc_length - type: integer - title: Max Doc Length - description: |- - The maximum number of characters in a single document indexed in the - `response` field. The default is 5000. You can set this to 0 to index an - unlimited number of characters per document. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: MongoDB - description: Capture MongoDB Traffic - template_path: mongodb.yml.hbs diff --git a/packages/network_traffic/1.2.0/data_stream/mongodb/sample_event.json b/packages/network_traffic/1.2.0/data_stream/mongodb/sample_event.json deleted file mode 100755 index 4cfd576e4c..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/mongodb/sample_event.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:15:48.570Z", - "agent": { - "ephemeral_id": "fafaeb02-c623-46a0-a3e0-72e035bd12ba", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "data_stream": { - "dataset": "network_traffic.mongodb", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mongodb", - "duration": 1365900, - "end": "2022-03-09T08:15:48.571Z", - "ingested": "2022-03-09T08:15:49Z", - "kind": "event", - "start": "2022-03-09T08:15:48.570Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "find", - "mongodb": { - "cursorId": 0, - "fullCollectionName": "test.restaurants", - "numberReturned": 1, - "numberToReturn": 1, - "numberToSkip": 0, - "startingFrom": 0 - }, - "network": { - "bytes": 564, - "community_id": "1:mYSTZ4QZBfvJO05Em9TnPwrae6g=", - "direction": "ingress", - "protocol": "mongodb", - "transport": "tcp", - "type": "ipv4" - }, - "query": "test.restaurants.find().limit(1)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "test.restaurants", - "server": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "source": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "status": "OK", - "type": "mongodb" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/data_stream/mysql/agent/stream/mysql.yml.hbs b/packages/network_traffic/1.2.0/data_stream/mysql/agent/stream/mysql.yml.hbs deleted file mode 100755 index ded52aaee1..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/mysql/agent/stream/mysql.yml.hbs +++ /dev/null @@ -1,41 +0,0 @@ -type: mysql -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.2.0/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.2.0/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 23ad4ad9d5..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing mysql traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.2.0/data_stream/mysql/fields/agent.yml b/packages/network_traffic/1.2.0/data_stream/mysql/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/mysql/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.2.0/data_stream/mysql/fields/base.yml b/packages/network_traffic/1.2.0/data_stream/mysql/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/mysql/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.2.0/data_stream/mysql/fields/beats.yml b/packages/network_traffic/1.2.0/data_stream/mysql/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/mysql/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.2.0/data_stream/mysql/fields/ecs.yml b/packages/network_traffic/1.2.0/data_stream/mysql/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/mysql/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.2.0/data_stream/mysql/fields/protocol.yml b/packages/network_traffic/1.2.0/data_stream/mysql/fields/protocol.yml deleted file mode 100755 index 64675f8d8e..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/mysql/fields/protocol.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: mysql - type: group - fields: - - name: affected_rows - type: long - description: > - If the MySQL command is successful, this field contains the affected number of rows of the last statement. - - - name: insert_id - type: keyword - description: > - If the INSERT query is successful, this field contains the id of the newly inserted row. - - - name: num_fields - type: long - description: > - If the SELECT query is successful, this field is set to the number of fields returned. - - - name: num_rows - type: long - description: > - If the SELECT query is successful, this field is set to the number of rows returned. - - - name: query - type: keyword - description: > - The row mysql query as read from the transaction's request. - - - name: error_code - type: long - description: > - The error code returned by MySQL. - - - name: error_message - type: keyword - description: > - The error info message returned by MySQL. - diff --git a/packages/network_traffic/1.2.0/data_stream/mysql/manifest.yml b/packages/network_traffic/1.2.0/data_stream/mysql/manifest.yml deleted file mode 100755 index 1f206a34a6..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/mysql/manifest.yml +++ /dev/null @@ -1,76 +0,0 @@ -title: MySQL -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [3306, 3307] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: MySQL - description: Capture MySQL Traffic - template_path: mysql.yml.hbs diff --git a/packages/network_traffic/1.2.0/data_stream/mysql/sample_event.json b/packages/network_traffic/1.2.0/data_stream/mysql/sample_event.json deleted file mode 100755 index 2c33116053..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/mysql/sample_event.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:20:44.667Z", - "agent": { - "ephemeral_id": "43167926-7ebd-4acd-8216-daf3664fe286", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "data_stream": { - "dataset": "network_traffic.mysql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mysql", - "duration": 5532500, - "end": "2022-03-09T08:20:44.673Z", - "ingested": "2022-03-09T08:20:45Z", - "kind": "event", - "start": "2022-03-09T08:20:44.667Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "mysql": { - "affected_rows": 0, - "insert_id": 0, - "num_fields": 3, - "num_rows": 15 - }, - "network": { - "bytes": 3652, - "community_id": "1:goIcZn7CMIJ6W7Yf8JRV618zzxA=", - "direction": "ingress", - "protocol": "mysql", - "transport": "tcp", - "type": "ipv4" - }, - "path": "test.test", - "query": "select * from test", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "source": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "status": "OK", - "type": "mysql" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/data_stream/nfs/agent/stream/nfs.yml.hbs b/packages/network_traffic/1.2.0/data_stream/nfs/agent/stream/nfs.yml.hbs deleted file mode 100755 index 8212b36930..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/nfs/agent/stream/nfs.yml.hbs +++ /dev/null @@ -1,41 +0,0 @@ -type: nfs -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.2.0/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.2.0/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index cd66758ed4..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing nfs traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.2.0/data_stream/nfs/fields/agent.yml b/packages/network_traffic/1.2.0/data_stream/nfs/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/nfs/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.2.0/data_stream/nfs/fields/base.yml b/packages/network_traffic/1.2.0/data_stream/nfs/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/nfs/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.2.0/data_stream/nfs/fields/beats.yml b/packages/network_traffic/1.2.0/data_stream/nfs/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/nfs/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.2.0/data_stream/nfs/fields/ecs.yml b/packages/network_traffic/1.2.0/data_stream/nfs/fields/ecs.yml deleted file mode 100755 index 2b26a193f9..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/nfs/fields/ecs.yml +++ /dev/null @@ -1,144 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Unique identifier of the user. - name: user.id - type: keyword diff --git a/packages/network_traffic/1.2.0/data_stream/nfs/fields/protocol.yml b/packages/network_traffic/1.2.0/data_stream/nfs/fields/protocol.yml deleted file mode 100755 index 4bcf6fecec..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/nfs/fields/protocol.yml +++ /dev/null @@ -1,48 +0,0 @@ -- name: nfs - type: group - fields: - - name: version - type: long - description: NFS protocol version number. - - name: minor_version - type: long - description: NFS protocol minor version number. - - name: tag - type: keyword - description: NFS v4 COMPOUND operation tag. - - name: opcode - type: keyword - description: > - NFS operation name, or main operation name, in case of COMPOUND calls. - - - name: status - type: keyword - description: NFS operation reply status. -- name: rpc - type: group - description: ONC RPC specific event fields. - fields: - - name: xid - type: keyword - description: RPC message transaction identifier. - - name: status - type: keyword - description: RPC message reply status. - - name: auth_flavor - type: keyword - description: RPC authentication flavor. - - name: cred.uid - type: long - description: RPC caller's user id, in case of auth-unix. - - name: cred.gid - type: long - description: RPC caller's group id, in case of auth-unix. - - name: cred.gids - type: long - description: RPC caller's secondary group ids, in case of auth-unix. - - name: cred.stamp - type: long - description: Arbitrary ID which the caller machine may generate. - - name: cred.machinename - type: keyword - description: The name of the caller's machine. diff --git a/packages/network_traffic/1.2.0/data_stream/nfs/manifest.yml b/packages/network_traffic/1.2.0/data_stream/nfs/manifest.yml deleted file mode 100755 index 2d98b08dc8..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/nfs/manifest.yml +++ /dev/null @@ -1,76 +0,0 @@ -title: NFS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [2049] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: NFS - description: Capture NFS Traffic - template_path: nfs.yml.hbs diff --git a/packages/network_traffic/1.2.0/data_stream/nfs/sample_event.json b/packages/network_traffic/1.2.0/data_stream/nfs/sample_event.json deleted file mode 100755 index de4b4525e0..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/nfs/sample_event.json +++ /dev/null @@ -1,123 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:24:00.569Z", - "agent": { - "ephemeral_id": "62904593-11a1-4706-8487-78b14fb72c08", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "data_stream": { - "dataset": "network_traffic.nfs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "nfs.CLOSE", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.nfs", - "duration": 6573500, - "end": "2022-03-09T08:24:00.575Z", - "ingested": "2022-03-09T08:24:01Z", - "kind": "event", - "start": "2022-03-09T08:24:00.569Z", - "type": [ - "connection", - "protocol" - ] - }, - "group.id": 48, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "host.hostname": "desycloud03.desy.de", - "network": { - "bytes": 384, - "community_id": "1:cd5eLXemAsSPMdXwCbdDUWWud4M=", - "direction": "unknown", - "protocol": "nfsv4", - "transport": "tcp", - "type": "ipv4" - }, - "nfs": { - "minor_version": 1, - "opcode": "CLOSE", - "status": "NFS_OK", - "tag": "", - "version": 4 - }, - "related": { - "ip": [ - "131.169.5.156", - "131.169.192.35" - ] - }, - "rpc": { - "auth_flavor": "unix", - "cred": { - "gid": 48, - "gids": [ - 48 - ], - "machinename": "desycloud03.desy.de", - "stamp": 4308441, - "uid": 48 - }, - "status": "success", - "xid": "c3103fc1" - }, - "server": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "source": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "status": "OK", - "type": "nfs", - "user.id": 48 -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/data_stream/pgsql/agent/stream/pgsql.yml.hbs b/packages/network_traffic/1.2.0/data_stream/pgsql/agent/stream/pgsql.yml.hbs deleted file mode 100755 index 1b9acf9a22..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/pgsql/agent/stream/pgsql.yml.hbs +++ /dev/null @@ -1,41 +0,0 @@ -type: pgsql -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.2.0/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.2.0/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7bd75120a7..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing pgsql traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.2.0/data_stream/pgsql/fields/agent.yml b/packages/network_traffic/1.2.0/data_stream/pgsql/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/pgsql/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.2.0/data_stream/pgsql/fields/base.yml b/packages/network_traffic/1.2.0/data_stream/pgsql/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/pgsql/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.2.0/data_stream/pgsql/fields/beats.yml b/packages/network_traffic/1.2.0/data_stream/pgsql/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/pgsql/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.2.0/data_stream/pgsql/fields/ecs.yml b/packages/network_traffic/1.2.0/data_stream/pgsql/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/pgsql/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.2.0/data_stream/pgsql/fields/protocol.yml b/packages/network_traffic/1.2.0/data_stream/pgsql/fields/protocol.yml deleted file mode 100755 index 4fd03e12cb..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/pgsql/fields/protocol.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: pgsql - type: group - fields: - - name: error_code - description: The PostgreSQL error code. - type: keyword - - name: error_message - type: keyword - description: The PostgreSQL error message. - - name: error_severity - type: keyword - description: The PostgreSQL error severity. - possible_values: - - ERROR - - FATAL - - PANIC - - name: num_fields - type: long - description: > - If the SELECT query if successful, this field is set to the number of fields returned. - - - name: num_rows - type: long - description: > - If the SELECT query if successful, this field is set to the number of rows returned. - diff --git a/packages/network_traffic/1.2.0/data_stream/pgsql/manifest.yml b/packages/network_traffic/1.2.0/data_stream/pgsql/manifest.yml deleted file mode 100755 index 721877d6c7..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/pgsql/manifest.yml +++ /dev/null @@ -1,76 +0,0 @@ -title: PostgreSQL -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5432] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: PostgreSQL - description: Capture PostgreSQL Traffic - template_path: pgsql.yml.hbs diff --git a/packages/network_traffic/1.2.0/data_stream/pgsql/sample_event.json b/packages/network_traffic/1.2.0/data_stream/pgsql/sample_event.json deleted file mode 100755 index 462f734f42..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/pgsql/sample_event.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:29:39.675Z", - "agent": { - "ephemeral_id": "1e05998c-1d97-426b-8d9e-f5f92c446612", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "data_stream": { - "dataset": "network_traffic.pgsql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.pgsql", - "duration": 2568100, - "end": "2022-03-09T08:29:39.678Z", - "ingested": "2022-03-09T08:29:40Z", - "kind": "event", - "start": "2022-03-09T08:29:39.675Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "network": { - "bytes": 3220, - "community_id": "1:WUuTzESSpZnUwZ2tuZKZtNOdHSU=", - "direction": "ingress", - "protocol": "pgsql", - "transport": "tcp", - "type": "ipv4" - }, - "pgsql": { - "num_fields": 3, - "num_rows": 15 - }, - "query": "select * from long_response", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "source": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "status": "OK", - "type": "pgsql" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/data_stream/redis/agent/stream/redis.yml.hbs b/packages/network_traffic/1.2.0/data_stream/redis/agent/stream/redis.yml.hbs deleted file mode 100755 index c611b9e05d..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/redis/agent/stream/redis.yml.hbs +++ /dev/null @@ -1,47 +0,0 @@ -type: redis -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if queue_max_bytes}} -queue_max_bytes: {{queue_max_bytes}} -{{/if}} -{{#if queue_max_messages}} -queue_max_messages: {{queue_max_messages}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.2.0/data_stream/redis/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.2.0/data_stream/redis/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a2af2349ac..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/redis/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing redis traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.2.0/data_stream/redis/fields/agent.yml b/packages/network_traffic/1.2.0/data_stream/redis/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/redis/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.2.0/data_stream/redis/fields/base.yml b/packages/network_traffic/1.2.0/data_stream/redis/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/redis/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.2.0/data_stream/redis/fields/beats.yml b/packages/network_traffic/1.2.0/data_stream/redis/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/redis/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.2.0/data_stream/redis/fields/ecs.yml b/packages/network_traffic/1.2.0/data_stream/redis/fields/ecs.yml deleted file mode 100755 index 7638afce57..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/redis/fields/ecs.yml +++ /dev/null @@ -1,136 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.2.0/data_stream/redis/fields/protocol.yml b/packages/network_traffic/1.2.0/data_stream/redis/fields/protocol.yml deleted file mode 100755 index 4982b2c2d3..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/redis/fields/protocol.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: redis - type: group - fields: - - name: return_value - type: keyword - description: > - The return value of the Redis command in a human readable format. - - - name: error - type: keyword - description: > - If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. - diff --git a/packages/network_traffic/1.2.0/data_stream/redis/manifest.yml b/packages/network_traffic/1.2.0/data_stream/redis/manifest.yml deleted file mode 100755 index 4260d9a6a7..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/redis/manifest.yml +++ /dev/null @@ -1,95 +0,0 @@ -title: Redis -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [6379] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: queue_max_bytes - type: integer - title: Queue Max Bytes - description: |- - Max size for per-session message queue. This places a limit on the memory - that can be used to buffer requests and responses for correlation. - show_user: false - multi: false - required: false - - name: queue_max_messages - type: integer - title: Queue Max Messages - description: |- - Max number of messages for per-session message queue. This limits the number - of requests or responses that can be buffered for correlation. Set a value - large enough to allow for pipelining. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Redis - description: Capture Redis Traffic - template_path: redis.yml.hbs diff --git a/packages/network_traffic/1.2.0/data_stream/redis/sample_event.json b/packages/network_traffic/1.2.0/data_stream/redis/sample_event.json deleted file mode 100755 index 7ce644c935..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/redis/sample_event.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:30:57.254Z", - "agent": { - "ephemeral_id": "b68277a8-8012-4ada-bbdd-6ce88a51c5ce", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "data_stream": { - "dataset": "network_traffic.redis", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "redis.set", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.redis", - "duration": 1421600, - "end": "2022-03-09T08:30:57.256Z", - "ingested": "2022-03-09T08:30:58Z", - "kind": "event", - "start": "2022-03-09T08:30:57.254Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SET", - "network": { - "bytes": 36, - "community_id": "1:GuHlyWpX6bKkMXy19YkvZSNPTS4=", - "direction": "ingress", - "protocol": "redis", - "transport": "tcp", - "type": "ipv4" - }, - "query": "set key3 me", - "redis": { - "return_value": "OK" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "key3", - "server": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "source": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "status": "OK", - "type": "redis" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/data_stream/sip/agent/stream/sip.yml.hbs b/packages/network_traffic/1.2.0/data_stream/sip/agent/stream/sip.yml.hbs deleted file mode 100755 index 01ce8f5470..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/sip/agent/stream/sip.yml.hbs +++ /dev/null @@ -1,38 +0,0 @@ -type: sip -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if parse_authorization}} -parse_authorization: {{parse_authorization}} -{{/if}} -{{#if parse_body}} -parse_body: {{parse_body}} -{{/if}} -{{#if keep_original}} -keep_original: {{keep_original}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.2.0/data_stream/sip/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.2.0/data_stream/sip/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index c20207afdd..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/sip/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for processing sip traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -# Remove invalid "protocol" term added by packetbeat prior to v7.17.4/8.2.1. -- script: - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "protocol") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.2.0/data_stream/sip/fields/agent.yml b/packages/network_traffic/1.2.0/data_stream/sip/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/sip/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.2.0/data_stream/sip/fields/base.yml b/packages/network_traffic/1.2.0/data_stream/sip/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/sip/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.2.0/data_stream/sip/fields/beats.yml b/packages/network_traffic/1.2.0/data_stream/sip/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/sip/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.2.0/data_stream/sip/fields/ecs.yml b/packages/network_traffic/1.2.0/data_stream/sip/fields/ecs.yml deleted file mode 100755 index c2a147238b..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/sip/fields/ecs.yml +++ /dev/null @@ -1,174 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/network_traffic/1.2.0/data_stream/sip/fields/protocol.yml b/packages/network_traffic/1.2.0/data_stream/sip/fields/protocol.yml deleted file mode 100755 index 5b25d9df6d..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/sip/fields/protocol.yml +++ /dev/null @@ -1,231 +0,0 @@ -- name: sip - type: group - description: Information about SIP traffic. - fields: - - name: code - type: long - description: Response status code. - - name: method - type: keyword - description: Request method. - - name: status - type: keyword - description: Response status phrase. - - name: type - type: keyword - description: Either request or response. - - name: version - type: keyword - description: SIP protocol version. - - name: uri.original - type: keyword - description: The original URI. - multi_fields: - - name: text - type: text - norms: false - - name: uri.scheme - type: keyword - description: The URI scheme. - - name: uri.username - type: keyword - description: The URI user name. - - name: uri.host - type: keyword - description: The URI host. - - name: uri.port - type: long - description: The URI port. - - name: accept - type: keyword - description: Accept header value. - - name: allow - type: keyword - description: Allowed methods. - - name: call_id - type: keyword - description: Call ID. - - name: content_length - type: long - - name: content_type - type: keyword - - name: max_forwards - type: long - - name: supported - type: keyword - description: Supported methods. - - name: user_agent.original - type: keyword - multi_fields: - - name: text - type: text - norms: false - - name: private.uri.original - type: keyword - description: Private original URI. - multi_fields: - - name: text - type: text - norms: false - - name: private.uri.scheme - type: keyword - description: Private URI scheme. - - name: private.uri.username - type: keyword - description: Private URI user name. - - name: private.uri.host - type: keyword - description: Private URI host. - - name: private.uri.port - type: long - description: Private URI port. - - name: cseq.code - type: long - description: Sequence code. - - name: cseq.method - type: keyword - description: Sequence method. - - name: via.original - type: keyword - description: The original Via value. - multi_fields: - - name: text - type: text - norms: false - - name: to.display_info - type: keyword - description: "To display info" - - name: to.uri.original - type: keyword - description: "To original URI" - multi_fields: - - name: text - type: text - norms: false - - name: to.uri.scheme - type: keyword - description: "To URI scheme" - - name: to.uri.username - type: keyword - description: "To URI user name" - - name: to.uri.host - type: keyword - description: "To URI host" - - name: to.uri.port - type: long - description: "To URI port" - - name: to.tag - type: keyword - description: "To tag" - - name: from.display_info - type: keyword - description: "From display info" - - name: from.uri.original - type: keyword - description: "From original URI" - multi_fields: - - name: text - type: text - norms: false - - name: from.uri.scheme - type: keyword - description: "From URI scheme" - - name: from.uri.username - type: keyword - description: "From URI user name" - - name: from.uri.host - type: keyword - description: "From URI host" - - name: from.uri.port - type: long - description: "From URI port" - - name: from.tag - type: keyword - description: "From tag" - - name: contact.display_info - type: keyword - description: "Contact display info" - - name: contact.uri.original - type: keyword - description: "Contact original URI" - multi_fields: - - name: text - type: text - norms: false - - name: contact.uri.scheme - type: keyword - description: "Contat URI scheme" - - name: contact.uri.username - type: keyword - description: "Contact URI user name" - - name: contact.uri.host - type: keyword - description: "Contact URI host" - - name: contact.uri.port - type: long - description: "Contact URI port" - - name: contact.transport - type: keyword - description: "Contact transport" - - name: contact.line - type: keyword - description: "Contact line" - - name: contact.expires - type: keyword - description: "Contact expires" - - name: contact.q - type: keyword - description: "Contact Q" - - name: auth.scheme - type: keyword - description: "Auth scheme" - - name: auth.realm - type: keyword - description: "Auth realm" - - name: auth.uri.original - type: keyword - description: "Auth original URI" - multi_fields: - - name: text - type: text - norms: false - - name: auth.uri.scheme - type: keyword - description: "Auth URI scheme" - - name: auth.uri.host - type: keyword - description: "Auth URI host" - - name: auth.uri.port - type: long - description: "Auth URI port" - - name: sdp.version - type: keyword - description: "SDP version" - - name: sdp.owner.username - type: keyword - description: "SDP owner user name" - - name: sdp.owner.session_id - type: keyword - description: "SDP owner session ID" - - name: sdp.owner.version - type: keyword - description: "SDP owner version" - - name: sdp.owner.ip - type: ip - description: "SDP owner IP" - - name: sdp.session.name - type: keyword - description: "SDP session name" - - name: sdp.connection.info - type: keyword - description: "SDP connection info" - - name: sdp.connection.address - type: keyword - description: "SDP connection address" - - name: sdp.body.original - type: keyword - description: "SDP original body" - multi_fields: - - name: text - type: text - norms: false diff --git a/packages/network_traffic/1.2.0/data_stream/sip/manifest.yml b/packages/network_traffic/1.2.0/data_stream/sip/manifest.yml deleted file mode 100755 index 325149aad5..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/sip/manifest.yml +++ /dev/null @@ -1,63 +0,0 @@ -title: SIP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5060] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: parse_authorization - type: bool - title: Parse Authorization - description: Parse the authorization headers - show_user: false - multi: false - required: false - - name: parse_body - type: bool - title: Parse Body - description: Parse body contents (only when body is SDP) - show_user: false - multi: false - required: false - - name: keep_original - type: bool - title: Keep Original - description: Preserve original contents in event.original - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: SIP - description: Capture SIP Traffic - template_path: sip.yml.hbs diff --git a/packages/network_traffic/1.2.0/data_stream/sip/sample_event.json b/packages/network_traffic/1.2.0/data_stream/sip/sample_event.json deleted file mode 100755 index 5a36041d5a..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/sip/sample_event.json +++ /dev/null @@ -1,174 +0,0 @@ -{ - "@timestamp": "2022-05-13T07:10:35.715Z", - "agent": { - "ephemeral_id": "008322ce-0d84-45f0-beaf-153cf4786013", - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "10.0.2.20", - "port": 5060 - }, - "data_stream": { - "dataset": "network_traffic.sip", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.2.15", - "port": 5060 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "sip-invite", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.sip", - "duration": 0, - "end": "2022-05-13T07:10:35.715Z", - "ingested": "2022-05-13T07:10:39Z", - "kind": "event", - "original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" \u003csip:sipp@10.0.2.20:5060\u003e;tag=1\r\nTo: test \u003csip:test@10.0.2.15:5060\u003e\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 123\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n", - "sequence": 1, - "start": "2022-05-13T07:10:35.715Z", - "type": [ - "info" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "172.31.0.7" - ], - "mac": [ - "02-42-AC-1F-00-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "application": "sip", - "community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", - "direction": "unknown", - "iana_number": "17", - "protocol": "sip", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "hosts": [ - "10.0.2.15", - "10.0.2.20" - ], - "ip": [ - "10.0.2.20", - "10.0.2.15" - ], - "user": [ - "test", - "sipp" - ] - }, - "server": { - "ip": "10.0.2.15", - "port": 5060 - }, - "sip": { - "call_id": "1-2187@10.0.2.20", - "contact": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "content_length": 123, - "content_type": "application/sdp", - "cseq": { - "code": 1, - "method": "INVITE" - }, - "from": { - "display_info": "DVI4/8000", - "tag": "1", - "uri": { - "host": "10.0.2.20", - "original": "sip:sipp@10.0.2.20:5060", - "port": 5060, - "scheme": "sip", - "username": "sipp" - } - }, - "max_forwards": 70, - "method": "INVITE", - "sdp": { - "body": { - "original": "v=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n" - }, - "connection": { - "address": "10.0.2.20", - "info": "IN IP4 10.0.2.20" - }, - "owner": { - "ip": "10.0.2.20", - "session_id": "42", - "version": "42" - }, - "version": "0" - }, - "to": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "type": "request", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - }, - "version": "2.0", - "via": { - "original": [ - "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0" - ] - } - }, - "source": { - "ip": "10.0.2.20", - "port": 5060 - }, - "status": "OK", - "type": "sip" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/data_stream/thrift/agent/stream/thrift.yml.hbs b/packages/network_traffic/1.2.0/data_stream/thrift/agent/stream/thrift.yml.hbs deleted file mode 100755 index 5437c4f132..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/thrift/agent/stream/thrift.yml.hbs +++ /dev/null @@ -1,68 +0,0 @@ -type: thrift -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if transport_type}} -transport_type: {{transport_type}} -{{/if}} -{{#if protocol_type}} -protocol_type: {{protocol_type}} -{{/if}} -{{#if idl_files}} -idl_files: -{{#each idl_files as |idl_file|}} - - {{idl_file}} -{{/each}} -{{/if}} -{{#if string_max_size}} -string_max_size: {{string_max_size}} -{{/if}} -{{#if collection_max_size}} -collection_max_size: {{collection_max_size}} -{{/if}} -{{#if capture_reply}} -capture_reply: {{capture_reply}} -{{/if}} -{{#if obfuscate_strings}} -obfuscate_strings: {{obfuscate_strings}} -{{/if}} -{{#if drop_after_n_struct_fields}} -drop_after_n_struct_fields: {{drop_after_n_struct_fields}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.2.0/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.2.0/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 987bedd730..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing thrift traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.2.0/data_stream/thrift/fields/agent.yml b/packages/network_traffic/1.2.0/data_stream/thrift/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/thrift/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.2.0/data_stream/thrift/fields/base.yml b/packages/network_traffic/1.2.0/data_stream/thrift/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/thrift/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.2.0/data_stream/thrift/fields/beats.yml b/packages/network_traffic/1.2.0/data_stream/thrift/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/thrift/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.2.0/data_stream/thrift/fields/ecs.yml b/packages/network_traffic/1.2.0/data_stream/thrift/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/thrift/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.2.0/data_stream/thrift/fields/protocol.yml b/packages/network_traffic/1.2.0/data_stream/thrift/fields/protocol.yml deleted file mode 100755 index dd097f61ee..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/thrift/fields/protocol.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: thrift - type: group - fields: - - name: params - type: keyword - description: > - The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. - - - name: service - type: keyword - description: > - The name of the Thrift-RPC service as defined in the IDL files. - - - name: return_value - type: keyword - description: > - The value returned by the Thrift-RPC call. This is encoded in a human readable format. - - - name: exceptions - type: keyword - description: > - If the call resulted in exceptions, this field contains the exceptions in a human readable format. - diff --git a/packages/network_traffic/1.2.0/data_stream/thrift/manifest.yml b/packages/network_traffic/1.2.0/data_stream/thrift/manifest.yml deleted file mode 100755 index 4429f53567..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/thrift/manifest.yml +++ /dev/null @@ -1,150 +0,0 @@ -title: Thrift -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [9090] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: transport_type - type: text - title: Transport Type - description: |- - The Thrift transport type. Currently this option accepts the values socket - for TSocket, which is the default Thrift transport, and framed for the - TFramed Thrift transport. The default is socket. - show_user: false - multi: false - required: false - - name: protocol_type - type: text - title: Protocol Type - description: |- - The Thrift protocol type. Currently the only accepted value is binary for - the TBinary protocol, which is the default Thrift protocol. - show_user: false - multi: false - required: false - - name: idl_files - type: text - title: Idl Files - description: |- - The Thrift interface description language (IDL) files for the service that - Packetbeat is monitoring. Providing the IDL enables Packetbeat to include - parameter and exception names. - show_user: false - multi: true - required: false - - name: string_max_size - type: integer - title: String Max Size - description: |- - The maximum length for strings in parameters or return values. If a string - is longer than this value, the string is automatically truncated to this - length. - show_user: false - multi: false - required: false - - name: collection_max_size - type: integer - title: Collection Max Size - description: The maximum number of elements in a Thrift list, set, map, or structure. - show_user: false - multi: false - required: false - - name: capture_reply - type: bool - title: Capture Reply - description: |- - If this option is set to false, Packetbeat decodes the method name from the - reply and simply skips the rest of the response message. - show_user: false - multi: false - required: false - - name: obfuscate_strings - type: bool - title: Obfuscate Strings - description: |- - If this option is set to true, Packetbeat replaces all strings found in - method parameters, return codes, or exception structures with the "*" - string. - show_user: false - multi: false - required: false - - name: drop_after_n_struct_fields - type: integer - title: Drop After N Struct Fields - description: |- - The maximum number of fields that a structure can have before Packetbeat - ignores the whole transaction. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Thrift - description: Capture Thrift Traffic - template_path: thrift.yml.hbs diff --git a/packages/network_traffic/1.2.0/data_stream/thrift/sample_event.json b/packages/network_traffic/1.2.0/data_stream/thrift/sample_event.json deleted file mode 100755 index 523e6958a6..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/thrift/sample_event.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "@timestamp": "2022-05-23T10:59:35.668Z", - "agent": { - "ephemeral_id": "016dcea4-c82a-4499-9069-e4e0ff6d04ff", - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "data_stream": { - "dataset": "network_traffic.thrift", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.thrift", - "duration": 1275700, - "end": "2022-05-23T10:59:35.669Z", - "ingested": "2022-05-23T10:59:36Z", - "kind": "event", - "start": "2022-05-23T10:59:35.668Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.224.7" - ], - "mac": [ - "02-42-C0-A8-E0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "method": "testByte", - "network": { - "bytes": 50, - "community_id": "1:fs+HuhTN3hqKiWHtoK/DsQ0ni5Y=", - "direction": "ingress", - "protocol": "thrift", - "transport": "tcp", - "type": "ipv4" - }, - "path": "", - "query": "testByte(1: 63)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "status": "OK", - "thrift": { - "params": "(1: 63)", - "return_value": "63" - }, - "type": "thrift" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/data_stream/tls/agent/stream/tls.yml.hbs b/packages/network_traffic/1.2.0/data_stream/tls/agent/stream/tls.yml.hbs deleted file mode 100755 index b4e8f496fc..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/tls/agent/stream/tls.yml.hbs +++ /dev/null @@ -1,44 +0,0 @@ -type: tls -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if fingerprints}} -fingerprints: -{{#each fingerprints as |fingerprint|}} - - {{fingerprint}} -{{/each}} -{{/if}} -{{#if send_certificates}} -send_certificates: {{send_certificates}} -{{/if}} -{{#if include_raw_certificates}} -include_raw_certificates: {{include_raw_certificates}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.2.0/data_stream/tls/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.2.0/data_stream/tls/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index bd7f3b2b61..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/tls/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,70 +0,0 @@ ---- -description: Pipeline for processing tls traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true - -## -# Make tls.{client,server}.x509.version_number a string as per ECS. -## -- convert: - field: tls.client.x509.version_number - type: string - ignore_missing: true -- convert: - field: tls.server.x509.version_number - type: string - ignore_missing: true - -## -# This handles legacy TLS fields from Packetbeat 7.17. -## -- remove: - description: Remove legacy fields from Packetbeat 7.17 that are duplicated. - field: - - tls.client.x509.issuer.province # Duplicated as tls.client.x509.issuer.state_or_province. - - tls.client.x509.subject.province # Duplicated as tls.client.x509.subject.state_or_province. - - tls.client.x509.version # Duplicated as tls.client.x509.version_number. - - tls.detailed.client_certificate # Duplicated as tls.client.x509. - - tls.detailed.server_certificate # Duplicated as tls.server.x509. - - tls.server.x509.issuer.province # Duplicated as tls.server.x509.issuer.state_or_province. - - tls.server.x509.subject.province # Duplicated as tls.server.x509.subject.state_or_province. - - tls.server.x509.version # Duplicated as tls.server.x509.version_number. - ignore_missing: true - -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.2.0/data_stream/tls/fields/agent.yml b/packages/network_traffic/1.2.0/data_stream/tls/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/tls/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.2.0/data_stream/tls/fields/base.yml b/packages/network_traffic/1.2.0/data_stream/tls/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/tls/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.2.0/data_stream/tls/fields/beats.yml b/packages/network_traffic/1.2.0/data_stream/tls/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/tls/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.2.0/data_stream/tls/fields/ecs.yml b/packages/network_traffic/1.2.0/data_stream/tls/fields/ecs.yml deleted file mode 100755 index 49c713858d..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/tls/fields/ecs.yml +++ /dev/null @@ -1,368 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: String indicating the cipher used during the current connection. - name: tls.cipher - type: keyword -- description: PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. - name: tls.client.certificate - type: keyword -- description: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. - name: tls.client.certificate_chain - type: keyword -- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.md5 - type: keyword -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.sha1 - type: keyword -- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.sha256 - type: keyword -- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - name: tls.client.issuer - type: keyword -- description: A hash that identifies clients based on how they perform an SSL/TLS handshake. - name: tls.client.ja3 - type: keyword -- description: Date/Time indicating when client certificate is no longer considered valid. - name: tls.client.not_after - type: date -- description: Date/Time indicating when client certificate is first considered valid. - name: tls.client.not_before - type: date -- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. - name: tls.client.server_name - type: keyword -- description: Distinguished name of subject of the x.509 certificate presented by the client. - name: tls.client.subject - type: keyword -- description: Array of ciphers offered by the client during the client hello. - name: tls.client.supported_ciphers - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: tls.client.x509.alternative_names - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.client.x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: tls.client.x509.issuer.country - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.client.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.client.x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.client.x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.client.x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.issuer.state_or_province - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: tls.client.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: tls.client.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: tls.client.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: tls.client.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: tls.client.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: tls.client.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.client.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: tls.client.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: tls.client.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.client.x509.subject.country - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: tls.client.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.client.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.client.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.client.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.subject.state_or_province - type: keyword -- description: Version of x509 format. - name: tls.client.x509.version_number - type: keyword -- description: String indicating the curve used for the given cipher, when applicable. - name: tls.curve - type: keyword -- description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. - name: tls.established - type: boolean -- description: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. - name: tls.next_protocol - type: keyword -- description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. - name: tls.resumed - type: boolean -- description: PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. - name: tls.server.certificate - type: keyword -- description: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. - name: tls.server.certificate_chain - type: keyword -- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.md5 - type: keyword -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha1 - type: keyword -- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha256 - type: keyword -- description: Subject of the issuer of the x.509 certificate presented by the server. - name: tls.server.issuer - type: keyword -- description: A hash that identifies servers based on how they perform an SSL/TLS handshake. - name: tls.server.ja3s - type: keyword -- description: Timestamp indicating when server certificate is no longer considered valid. - name: tls.server.not_after - type: date -- description: Timestamp indicating when server certificate is first considered valid. - name: tls.server.not_before - type: date -- description: Subject of the x.509 certificate presented by the server. - name: tls.server.subject - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: tls.server.x509.alternative_names - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.server.x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: tls.server.x509.issuer.country - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.server.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.server.x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.server.x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.server.x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.issuer.state_or_province - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: tls.server.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: tls.server.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: tls.server.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: tls.server.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: tls.server.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: tls.server.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.server.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: tls.server.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: tls.server.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.server.x509.subject.country - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: tls.server.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.server.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.server.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.server.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.subject.state_or_province - type: keyword -- description: Version of x509 format. - name: tls.server.x509.version_number - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword diff --git a/packages/network_traffic/1.2.0/data_stream/tls/fields/protocol.yml b/packages/network_traffic/1.2.0/data_stream/tls/fields/protocol.yml deleted file mode 100755 index d8264468d4..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/tls/fields/protocol.yml +++ /dev/null @@ -1,173 +0,0 @@ -- name: tls - type: group - fields: - - name: detailed - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol used. - - example: "TLS 1.3" - - name: resumption_method - type: keyword - description: > - If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension. - - - name: client_certificate_requested - type: boolean - description: > - Whether the server has requested the client to authenticate itself using a client certificate. - - - name: ocsp_response - type: keyword - description: > - The result of an OCSP request. - - - name: client_hello - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol by which the client wishes to communicate during this session. - - - name: random - type: keyword - description: > - Random data used by the TLS protocol to generate the encryption key. - - - name: session_id - type: keyword - description: > - Unique number to identify the session for the corresponding connection with the client. - - - name: supported_compression_methods - type: keyword - description: > - The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml - - - name: extensions - type: group - description: The hello extensions provided by the client. - fields: - - name: server_name_indication - type: keyword - description: List of hostnames - - name: application_layer_protocol_negotiation - type: keyword - description: > - List of application-layer protocols the client is willing to use. - - - name: session_ticket - type: keyword - description: > - Length of the session ticket, if provided, or an empty string to advertise support for tickets. - - - name: supported_versions - type: keyword - description: > - List of TLS versions that the client is willing to use. - - - name: supported_groups - type: keyword - description: > - List of Elliptic Curve Cryptography (ECC) curve groups supported by the client. - - - name: signature_algorithms - type: keyword - description: > - List of signature algorithms that may be use in digital signatures. - - - name: ec_points_formats - type: keyword - description: > - List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse. - - - name: status_request - type: group - description: Status request made to the server. - fields: - - name: type - type: keyword - description: The type of the status request. Always "ocsp" if present. - - name: responder_id_list_length - type: short - description: The length of the list of trusted responders. - - name: request_extensions - type: short - description: The number of certificate extensions for the request. - - name: _unparsed_ - type: keyword - description: > - List of extensions that were left unparsed by Packetbeat. - - - name: server_hello - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello. - - - name: random - type: keyword - description: > - Random data used by the TLS protocol to generate the encryption key. - - - name: selected_compression_method - type: keyword - description: > - The compression method selected by the server from the list provided in the client hello. - - - name: session_id - type: keyword - description: > - Unique number to identify the session for the corresponding connection with the client. - - - name: extensions - type: group - description: The hello extensions provided by the server. - fields: - - name: application_layer_protocol_negotiation - type: keyword - description: Negotiated application layer protocol - - name: session_ticket - type: keyword - description: > - Used to announce that a session ticket will be provided by the server. Always an empty string. - - - name: supported_versions - type: keyword - description: > - Negotiated TLS version to be used. - - - name: ec_points_formats - type: keyword - description: > - List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse. - - - name: status_request - type: group - description: Status request made to the server. - fields: - - name: response - type: boolean - description: Whether a certificate status request response was made. - - name: _unparsed_ - type: keyword - description: > - List of extensions that were left unparsed by Packetbeat. - - - name: server_certificate_chain - type: array - description: Chain of trust for the server certificate. - - name: client_certificate_chain - type: array - description: Chain of trust for the client certificate. - - name: alert_types - type: keyword - description: > - An array containing the TLS alert type for every alert received. - diff --git a/packages/network_traffic/1.2.0/data_stream/tls/manifest.yml b/packages/network_traffic/1.2.0/data_stream/tls/manifest.yml deleted file mode 100755 index 1a5c670684..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/tls/manifest.yml +++ /dev/null @@ -1,76 +0,0 @@ -title: TLS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [443, 993, 995, 5223, 8443, 8883, 9243] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: fingerprints - type: text - title: Fingerprints - description: |- - List of hash algorithms to use to calculate certificates' fingerprints. - Valid values are `sha1`, `sha256` and `md5`. - show_user: false - multi: true - required: false - - name: send_certificates - type: bool - title: Send Certificates - description: |- - If this option is enabled, the client and server certificates and - certificate chains are sent to Elasticsearch. The default is true. - show_user: false - multi: false - required: false - - name: include_raw_certificates - type: bool - title: Include Raw Certificates - description: |- - If this option is enabled, the raw certificates will be stored - in PEM format under the `raw` key. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: TLS - description: Capture TLS Traffic - template_path: tls.yml.hbs diff --git a/packages/network_traffic/1.2.0/data_stream/tls/sample_event.json b/packages/network_traffic/1.2.0/data_stream/tls/sample_event.json deleted file mode 100755 index 6c9779651e..0000000000 --- a/packages/network_traffic/1.2.0/data_stream/tls/sample_event.json +++ /dev/null @@ -1,302 +0,0 @@ -{ - "@timestamp": "2022-05-23T11:01:14.376Z", - "agent": { - "ephemeral_id": "d7d5fdf6-998d-488e-bfb7-176a86d6860d", - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "192.168.1.35", - "port": 59455 - }, - "data_stream": { - "dataset": "network_traffic.tls", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "domain": "example.net", - "ip": "93.184.216.34", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.tls", - "duration": 365887700, - "end": "2022-05-23T11:01:14.741Z", - "ingested": "2022-05-23T11:01:17Z", - "kind": "event", - "start": "2022-05-23T11:01:14.376Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.224.7" - ], - "mac": [ - "02-42-C0-A8-E0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "community_id": "1:fx1jENdlg6r3LIvBRG3wEboWbPY=", - "direction": "unknown", - "protocol": "tls", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.1.35", - "93.184.216.34" - ] - }, - "server": { - "domain": "example.net", - "ip": "93.184.216.34", - "port": 443 - }, - "source": { - "ip": "192.168.1.35", - "port": 59455 - }, - "status": "OK", - "tls": { - "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "client": { - "ja3": "e6573e91e6eb777c0933c5b8f97f10cd", - "server_name": "example.net", - "supported_ciphers": [ - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "(unknown:0xff85)", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_GOSTR341001_WITH_28147_CNT_IMIT", - "TLS_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_256_CBC_SHA256", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" - ] - }, - "detailed": { - "client_certificate_requested": false, - "client_hello": { - "extensions": { - "application_layer_protocol_negotiation": [ - "h2", - "http/1.1" - ], - "ec_points_formats": [ - "uncompressed" - ], - "server_name_indication": [ - "example.net" - ], - "signature_algorithms": [ - "rsa_pkcs1_sha512", - "ecdsa_secp521r1_sha512", - "(unknown:0xefef)", - "rsa_pkcs1_sha384", - "ecdsa_secp384r1_sha384", - "rsa_pkcs1_sha256", - "ecdsa_secp256r1_sha256", - "(unknown:0xeeee)", - "(unknown:0xeded)", - "(unknown:0x0301)", - "(unknown:0x0303)", - "rsa_pkcs1_sha1", - "ecdsa_sha1" - ], - "supported_groups": [ - "x25519", - "secp256r1", - "secp384r1" - ] - }, - "random": "d7c809b4ac3a60b62f53c9d9366ca89a703d25491ff2a246a89f32f945f7b42b", - "supported_compression_methods": [ - "NULL" - ], - "version": "3.3" - }, - "server_certificate_chain": [ - { - "issuer": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "not_after": "2023-03-08T12:00:00.000Z", - "not_before": "2013-03-08T12:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "2646203786665923649276728595390119057", - "signature_algorithm": "SHA256-RSA", - "subject": { - "common_name": "DigiCert SHA2 Secure Server CA", - "country": "US", - "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc" - }, - "version_number": 3 - }, - { - "issuer": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "not_after": "2031-11-10T00:00:00.000Z", - "not_before": "2006-11-10T00:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "10944719598952040374951832963794454346", - "signature_algorithm": "SHA1-RSA", - "subject": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "version_number": 3 - } - ], - "server_hello": { - "extensions": { - "_unparsed_": [ - "renegotiation_info", - "server_name_indication" - ], - "application_layer_protocol_negotiation": [ - "h2" - ], - "ec_points_formats": [ - "uncompressed", - "ansiX962_compressed_prime", - "ansiX962_compressed_char2" - ] - }, - "random": "d1fd553a5a270f08e09eda6690fb3c8f9884e9a9fe7949e9444f574e47524401", - "selected_compression_method": "NULL", - "session_id": "23bb2aed5d215e1228220b0a51d7aa220785e9e4b83b4f430229117971e9913f", - "version": "3.3" - }, - "version": "TLS 1.2" - }, - "established": true, - "next_protocol": "h2", - "resumed": false, - "server": { - "hash": { - "sha1": "7BB698386970363D2919CC5772846984FFD4A889" - }, - "issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "not_after": "2020-12-02T12:00:00.000Z", - "not_before": "2018-11-28T00:00:00.000Z", - "subject": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", - "x509": { - "alternative_names": [ - "www.example.org", - "example.com", - "example.edu", - "example.net", - "example.org", - "www.example.com", - "www.example.edu", - "www.example.net" - ], - "issuer": { - "common_name": "DigiCert SHA2 Secure Server CA", - "country": "US", - "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc" - }, - "not_after": "2020-12-02T12:00:00.000Z", - "not_before": "2018-11-28T00:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "21020869104500376438182461249190639870", - "signature_algorithm": "SHA256-RSA", - "subject": { - "common_name": "www.example.org", - "country": "US", - "distinguished_name": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", - "locality": "Los Angeles", - "organization": "Internet Corporation for Assigned Names and Numbers", - "organizational_unit": "Technology", - "state_or_province": "California" - }, - "version_number": "3" - } - }, - "version": "1.2", - "version_protocol": "tls" - }, - "type": "tls" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/docs/README.md b/packages/network_traffic/1.2.0/docs/README.md deleted file mode 100755 index 1d726b438f..0000000000 --- a/packages/network_traffic/1.2.0/docs/README.md +++ /dev/null @@ -1,4720 +0,0 @@ -# Network Packet Capture Integration - -This integration sniffs network packets on a host and dissects -known protocols. - -Monitoring your network traffic is critical to gaining observability and -securing your environment — ensuring high levels of performance and security. -The Network Packet Capture integration captures the network traffic between -your application servers, decodes common application layer protocols and -records the interesting fields for each transaction. - -## Supported Protocols - -Currently, Network Packet Capture supports the following protocols: - -- ICMP (v4 and v6) -- DHCP (v4) -- DNS -- HTTP -- AMQP 0.9.1 -- Cassandra -- Mysql -- PostgreSQL -- Redis -- Thrift-RPC -- MongoDB -- Memcache -- NFS -- TLS -- SIP/SDP (beta) - -### Common protocol options - -The following options are available for all protocols: - -#### `enabled` - -The enabled setting is a boolean setting to enable or disable protocols -without having to comment out configuration sections. If set to false, -the protocol is disabled. - -The default value is true. - -#### `ports` - -Exception: For ICMP the option `enabled` has to be used instead. - -The ports where Network Packet Capture will look to capture traffic for specific -protocols. Network Packet Capture installs a -[BPF](https://en.wikipedia.org/wiki/Berkeley_Packet_Filter) filter based -on the ports specified in this section. If a packet doesn’t match the -filter, very little CPU is required to discard the packet. Network Packet Capture -also uses the ports specified here to determine which parser to use for -each packet. - -#### `monitor_processes` - -If this option is enabled then network traffic events will be enriched -with information about the process associated with the events. - -The default value is false. - -#### `send_request` - -If this option is enabled, the raw message of the request (`request` -field) is sent to Elasticsearch. The default is false. This option is -useful when you want to index the whole request. Note that for HTTP, the -body is not included by default, only the HTTP headers. - -#### `send_response` - -If this option is enabled, the raw message of the response (`response` -field) is sent to Elasticsearch. The default is false. This option is -useful when you want to index the whole response. Note that for HTTP, -the body is not included by default, only the HTTP headers. - -#### `transaction_timeout` - -The per protocol transaction timeout. Expired transactions will no -longer be correlated to incoming responses, but sent to Elasticsearch -immediately. - -#### `tags` - -A list of tags that will be sent with the transaction event. This -setting is optional. - -#### `processors` - -A list of processors to apply to the data generated by the protocol. - -#### `keep_null` - -If this option is set to true, fields with `null` values will be -published in the output document. By default, `keep_null` is set to -`false`. - - -## Network Flows - -Overall flow information about the network connections on a -host. - -You can configure Network Packet Capture to collect and report statistics -on network flows. A *flow* is a group of packets sent over the same time -period that share common properties, such as the same source and destination -address and protocol. You can use this feature to analyze network -traffic over specific protocols on your network. - -For each flow, Network Packet Capture reports the number of packets and the -total number of bytes sent from the source to the destination. Each flow event -also contains information about the source and destination hosts, such -as their IP address. For bi-directional flows, Network Packet Capture reports -statistics for the reverse flow. - -Network Packet Capture collects and reports statistics up to and including the -transport layer. - -**Configuration options** - -You can specify the following options for capturing flows. - -#### `enabled` - -Enables flows support if set to true. Set to false to disable network -flows support without having to delete or comment out the flows section. -The default value is true. - -#### `timeout` - -Timeout configures the lifetime of a flow. If no packets have been -received for a flow within the timeout time window, the flow is killed -and reported. The default value is 30s. - -#### `period` - -Configure the reporting interval. All flows are reported at the very -same point in time. Periodical reporting can be disabled by setting the -value to -1. If disabled, flows are still reported once being timed out. -The default value is 10s. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -## Protocols - -### AMQP - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `max_body_length` - -The maximum size in bytes of the message displayed in the request or -response fields. Messages that are bigger than the specified size are -truncated. Use this option to avoid publishing huge messages when -[`send_request`](#send-request-option) or -[`send_response`](#send-response-option) is enabled. The default is -1000 bytes. - -#### `parse_headers` - -If set to true, Network Packet Capture parses the additional arguments specified in -the headers field of a message. Those arguments are key-value pairs that -specify information such as the content type of the message or the -message priority. The default is true. - -#### `parse_arguments` - -If set to true, Network Packet Capture parses the additional arguments specified in -AMQP methods. Those arguments are key-value pairs specified by the user -and can be of any length. The default is true. - -#### `hide_connection_information` - -If set to false, the connection layer methods of the protocol are also -displayed, such as the opening and closing of connections and channels -by clients, or the quality of service negotiation. The default is true. - -Fields published for AMQP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| amqp.app-id | Creating application id. | keyword | -| amqp.arguments | Optional additional arguments passed to some methods. Can be of various types. | object | -| amqp.auto-delete | If set, auto-delete queue when unused. | boolean | -| amqp.class-id | Failing method class. | long | -| amqp.consumer-count | The number of consumers of a queue. | long | -| amqp.consumer-tag | Identifier for the consumer, valid within the current channel. | keyword | -| amqp.content-encoding | MIME content encoding. | keyword | -| amqp.content-type | MIME content type. | keyword | -| amqp.correlation-id | Application correlation identifier. | keyword | -| amqp.delivery-mode | Non-persistent (1) or persistent (2). | keyword | -| amqp.delivery-tag | The server-assigned and channel-specific delivery tag. | long | -| amqp.durable | If set, request a durable exchange/queue. | boolean | -| amqp.exchange | Name of the exchange. | keyword | -| amqp.exchange-type | Exchange type. | keyword | -| amqp.exclusive | If set, request an exclusive queue. | boolean | -| amqp.expiration | Message expiration specification. | keyword | -| amqp.headers | Message header field table. | object | -| amqp.if-empty | Delete only if empty. | boolean | -| amqp.if-unused | Delete only if unused. | boolean | -| amqp.immediate | Request immediate delivery. | boolean | -| amqp.mandatory | Indicates mandatory routing. | boolean | -| amqp.message-count | The number of messages in the queue, which will be zero for newly-declared queues. | long | -| amqp.message-id | Application message identifier. | keyword | -| amqp.method-id | Failing method ID. | long | -| amqp.multiple | Acknowledge multiple messages. | boolean | -| amqp.no-ack | If set, the server does not expect acknowledgements for messages. | boolean | -| amqp.no-local | If set, the server will not send messages to the connection that published them. | boolean | -| amqp.no-wait | If set, the server will not respond to the method. | boolean | -| amqp.passive | If set, do not create exchange/queue. | boolean | -| amqp.priority | Message priority, 0 to 9. | long | -| amqp.queue | The queue name identifies the queue within the vhost. | keyword | -| amqp.redelivered | Indicates that the message has been previously delivered to this or another client. | boolean | -| amqp.reply-code | AMQP reply code to an error, similar to http reply-code | long | -| amqp.reply-text | Text explaining the error. | keyword | -| amqp.reply-to | Address to reply to. | keyword | -| amqp.routing-key | Message routing key. | keyword | -| amqp.timestamp | Message timestamp. | keyword | -| amqp.type | Message type name. | keyword | -| amqp.user-id | Creating user id. | keyword | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `amqp` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:37:02.033Z", - "agent": { - "ephemeral_id": "ff9ccf25-9d67-46a5-b661-aa01e3db9b84", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "amqp": { - "auto-delete": false, - "consumer-count": 0, - "durable": false, - "exclusive": false, - "message-count": 0, - "no-wait": false, - "passive": false, - "queue": "hello" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "data_stream": { - "dataset": "network_traffic.amqp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "amqp.queue.declare", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.amqp", - "duration": 1325900, - "end": "2022-03-09T07:37:02.035Z", - "ingested": "2022-03-09T07:37:03Z", - "kind": "event", - "start": "2022-03-09T07:37:02.033Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "queue.declare", - "network": { - "bytes": 51, - "community_id": "1:i6J4zz0FGnZMYLIy8kabND2W/XE=", - "direction": "ingress", - "protocol": "amqp", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "status": "OK", - "type": "amqp" -} -``` - -### Cassandra - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `send_request_header` - -If this option is enabled, the raw message of the response -(`cassandra_request.request_headers` field) is sent to Elasticsearch. -The default is true. Enable `send_request` first before enabling this -option. - -#### `send_response_header` - -If this option is enabled, the raw message of the response -(`cassandra_response.response_headers` field) is included in published -events. The default is true. enable `send_response` first before enable -this option. - -#### `ignored_ops` - -This option indicates which Operator/Operators captured will be ignored. -currently support: `ERROR` ,`STARTUP` ,`READY` ,`AUTHENTICATE` -,`OPTIONS` ,`SUPPORTED` , `QUERY` ,`RESULT` ,`PREPARE` ,`EXECUTE` -,`REGISTER` ,`EVENT` , `BATCH` ,`AUTH_CHALLENGE`,`AUTH_RESPONSE` -,`AUTH_SUCCESS` . - -#### `compressor` - -Configures the default compression algorithm being used to uncompress -compressed frames by name. Currently only `snappy` is can be configured. -By default no compressor is configured. - -Fields published for Apache Cassandra packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cassandra.no_request | Indicates that there is no request because this is a PUSH message. | boolean | -| cassandra.request.headers.flags | Flags applying to this frame. | keyword | -| cassandra.request.headers.length | A integer representing the length of the body of the frame (a frame is limited to 256MB in length). | long | -| cassandra.request.headers.op | An operation type that distinguishes the actual message. | keyword | -| cassandra.request.headers.stream | A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. | keyword | -| cassandra.request.headers.version | The version of the protocol. | keyword | -| cassandra.request.query | The CQL query which client send to cassandra. | keyword | -| cassandra.response.authentication.class | Indicates the full class name of the IAuthenticator in use | keyword | -| cassandra.response.error.code | The error code of the Cassandra response. | long | -| cassandra.response.error.details.alive | Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). | long | -| cassandra.response.error.details.arg_types | One string for each argument type (as CQL type) of the failed function. | keyword | -| cassandra.response.error.details.blockfor | Representing the number of replicas whose acknowledgement is required to achieve consistency level. | long | -| cassandra.response.error.details.data_present | It means the replica that was asked for data had responded. | boolean | -| cassandra.response.error.details.function | The name of the failed function. | keyword | -| cassandra.response.error.details.keyspace | The keyspace of the failed function. | keyword | -| cassandra.response.error.details.num_failures | Representing the number of nodes that experience a failure while executing the request. | keyword | -| cassandra.response.error.details.read_consistency | Representing the consistency level of the query that triggered the exception. | keyword | -| cassandra.response.error.details.received | Representing the number of nodes having acknowledged the request. | long | -| cassandra.response.error.details.required | Representing the number of nodes that should be alive to respect consistency level. | long | -| cassandra.response.error.details.stmt_id | Representing the unknown ID. | keyword | -| cassandra.response.error.details.table | The keyspace of the failed function. | keyword | -| cassandra.response.error.details.write_type | Describe the type of the write that timed out. | keyword | -| cassandra.response.error.msg | The error message of the Cassandra response. | keyword | -| cassandra.response.error.type | The error type of the Cassandra response. | keyword | -| cassandra.response.event.change | The message corresponding respectively to the type of change followed by the address of the new/removed node. | keyword | -| cassandra.response.event.host | Representing the node ip. | keyword | -| cassandra.response.event.port | Representing the node port. | long | -| cassandra.response.event.schema_change.args | One string for each argument type (as CQL type). | keyword | -| cassandra.response.event.schema_change.change | Representing the type of changed involved. | keyword | -| cassandra.response.event.schema_change.keyspace | This describes which keyspace has changed. | keyword | -| cassandra.response.event.schema_change.name | The function/aggregate name. | keyword | -| cassandra.response.event.schema_change.object | This describes the name of said affected object (either the table, user type, function, or aggregate name). | keyword | -| cassandra.response.event.schema_change.table | This describes which table has changed. | keyword | -| cassandra.response.event.schema_change.target | Target could be "FUNCTION" or "AGGREGATE", multiple arguments. | keyword | -| cassandra.response.event.type | Representing the event type. | keyword | -| cassandra.response.headers.flags | Flags applying to this frame. | keyword | -| cassandra.response.headers.length | A integer representing the length of the body of the frame (a frame is limited to 256MB in length). | long | -| cassandra.response.headers.op | An operation type that distinguishes the actual message. | keyword | -| cassandra.response.headers.stream | A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. | keyword | -| cassandra.response.headers.version | The version of the protocol. | keyword | -| cassandra.response.result.keyspace | Indicating the name of the keyspace that has been set. | keyword | -| cassandra.response.result.prepared.prepared_id | Representing the prepared query ID. | keyword | -| cassandra.response.result.prepared.req_meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.prepared.req_meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.prepared.req_meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.prepared.req_meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.prepared.req_meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.prepared.req_meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.prepared.resp_meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.prepared.resp_meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.prepared.resp_meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.prepared.resp_meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.prepared.resp_meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.prepared.resp_meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.rows.meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.rows.meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.rows.meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.rows.meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.rows.meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.rows.meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.rows.num_rows | Representing the number of rows present in this result. | long | -| cassandra.response.result.schema_change.args | One string for each argument type (as CQL type). | keyword | -| cassandra.response.result.schema_change.change | Representing the type of changed involved. | keyword | -| cassandra.response.result.schema_change.keyspace | This describes which keyspace has changed. | keyword | -| cassandra.response.result.schema_change.name | The function/aggregate name. | keyword | -| cassandra.response.result.schema_change.object | This describes the name of said affected object (either the table, user type, function, or aggregate name). | keyword | -| cassandra.response.result.schema_change.table | This describes which table has changed. | keyword | -| cassandra.response.result.schema_change.target | Target could be "FUNCTION" or "AGGREGATE", multiple arguments. | keyword | -| cassandra.response.result.type | Cassandra result type. | keyword | -| cassandra.response.supported | Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message. | flattened | -| cassandra.response.warnings | The text of the warnings, only occur when Warning flag was set. | keyword | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `cassandra` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:43:05.888Z", - "agent": { - "ephemeral_id": "20d6eb94-1319-473d-9e2f-05621a4d2494", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "cassandra": { - "request": { - "headers": { - "flags": "Default", - "length": 98, - "op": "QUERY", - "stream": 49, - "version": "4" - }, - "query": "CREATE TABLE users (\n user_id int PRIMARY KEY,\n fname text,\n lname text\n);" - }, - "response": { - "headers": { - "flags": "Default", - "length": 39, - "op": "RESULT", - "stream": 49, - "version": "4" - }, - "result": { - "schema_change": { - "change": "CREATED", - "keyspace": "mykeyspace", - "object": "users", - "target": "TABLE" - }, - "type": "schemaChanged" - } - } - }, - "client": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "data_stream": { - "dataset": "network_traffic.cassandra", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.cassandra", - "duration": 131589500, - "end": "2022-03-09T07:43:06.019Z", - "ingested": "2022-03-09T07:43:09Z", - "kind": "event", - "start": "2022-03-09T07:43:05.888Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 155, - "community_id": "1:bCORHZnGIk6GWYaE3Kn0DOpQCKE=", - "direction": "ingress", - "protocol": "cassandra", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "source": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "status": "OK", - "type": "cassandra" -} -``` - -### DHCP - -**Configuration options** - -See [Common protocol options](#common-protocol-options). - -Fields published for DHCPv4 packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dhcpv4.assigned_ip | The IP address that the DHCP server is assigning to the client. This field is also known as "your" IP address. | ip | -| dhcpv4.client_ip | The current IP address of the client. | ip | -| dhcpv4.client_mac | The client's MAC address (layer two). | keyword | -| dhcpv4.flags | Flags are set by the client to indicate how the DHCP server should its reply -- either unicast or broadcast. | keyword | -| dhcpv4.hardware_type | The type of hardware used for the local network (Ethernet, LocalTalk, etc). | keyword | -| dhcpv4.hops | The number of hops the DHCP message went through. | long | -| dhcpv4.op_code | The message op code (bootrequest or bootreply). | keyword | -| dhcpv4.option.boot_file_name | This option is used to identify a bootfile when the 'file' field in the DHCP header has been used for DHCP options. | keyword | -| dhcpv4.option.broadcast_address | This option specifies the broadcast address in use on the client's subnet. | ip | -| dhcpv4.option.class_identifier | This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. Vendors may choose to define specific vendor class identifiers to convey particular configuration or other identification information about a client. For example, the identifier may encode the client's hardware configuration. | keyword | -| dhcpv4.option.dns_servers | The domain name server option specifies a list of Domain Name System servers available to the client. | ip | -| dhcpv4.option.domain_name | This option specifies the domain name that client should use when resolving hostnames via the Domain Name System. | keyword | -| dhcpv4.option.hostname | This option specifies the name of the client. | keyword | -| dhcpv4.option.ip_address_lease_time_sec | This option is used in a client request (DHCPDISCOVER or DHCPREQUEST) to allow the client to request a lease time for the IP address. In a server reply (DHCPOFFER), a DHCP server uses this option to specify the lease time it is willing to offer. | long | -| dhcpv4.option.max_dhcp_message_size | This option specifies the maximum length DHCP message that the client is willing to accept. | long | -| dhcpv4.option.message | This option is used by a DHCP server to provide an error message to a DHCP client in a DHCPNAK message in the event of a failure. A client may use this option in a DHCPDECLINE message to indicate the why the client declined the offered parameters. | text | -| dhcpv4.option.message_type | The specific type of DHCP message being sent (e.g. discover, offer, request, decline, ack, nak, release, inform). | keyword | -| dhcpv4.option.ntp_servers | This option specifies a list of IP addresses indicating NTP servers available to the client. | ip | -| dhcpv4.option.parameter_request_list | This option is used by a DHCP client to request values for specified configuration parameters. | keyword | -| dhcpv4.option.rebinding_time_sec | This option specifies the time interval from address assignment until the client transitions to the REBINDING state. | long | -| dhcpv4.option.renewal_time_sec | This option specifies the time interval from address assignment until the client transitions to the RENEWING state. | long | -| dhcpv4.option.requested_ip_address | This option is used in a client request (DHCPDISCOVER) to allow the client to request that a particular IP address be assigned. | ip | -| dhcpv4.option.router | The router option specifies a list of IP addresses for routers on the client's subnet. | ip | -| dhcpv4.option.server_identifier | IP address of the individual DHCP server which handled this message. | ip | -| dhcpv4.option.subnet_mask | The subnet mask that the client should use on the currnet network. | ip | -| dhcpv4.option.time_servers | The time server option specifies a list of RFC 868 time servers available to the client. | ip | -| dhcpv4.option.utc_time_offset_sec | The time offset field specifies the offset of the client's subnet in seconds from Coordinated Universal Time (UTC). | long | -| dhcpv4.option.vendor_identifying_options | A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running, the software in use, or an industry consortium to which the vendor belongs. This field is described in RFC 3925. | object | -| dhcpv4.relay_ip | The relay IP address used by the client to contact the server (i.e. a DHCP relay server). | ip | -| dhcpv4.seconds | Number of seconds elapsed since client began address acquisition or renewal process. | long | -| dhcpv4.server_ip | The IP address of the DHCP server that the client should use for the next step in the bootstrap process. | ip | -| dhcpv4.server_name | The name of the server sending the message. Optional. Used in DHCPOFFER or DHCPACK messages. | keyword | -| dhcpv4.transaction_id | Transaction ID, a random number chosen by the client, used by the client and server to associate messages and responses between a client and a server. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `dhcpv4` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:43:52.712Z", - "agent": { - "ephemeral_id": "b98a43ba-d050-42e6-ab2f-2eba352e9cb0", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "data_stream": { - "dataset": "network_traffic.dhcpv4", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "255.255.255.255", - "port": 67 - }, - "dhcpv4": { - "client_mac": "00-0B-82-01-FC-42", - "flags": "unicast", - "hardware_type": "Ethernet", - "hops": 0, - "op_code": "bootrequest", - "option": { - "message_type": "discover", - "parameter_request_list": [ - "Subnet Mask", - "Router", - "Domain Name Server", - "NTP Servers" - ], - "requested_ip_address": "0.0.0.0" - }, - "seconds": 0, - "transaction_id": "0x00003d1d" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dhcpv4", - "ingested": "2022-03-09T07:43:53Z", - "kind": "event", - "start": "2022-03-09T07:43:52.712Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 272, - "community_id": "1:t9O1j0qj71O4wJM7gnaHtgmfev8=", - "direction": "unknown", - "protocol": "dhcpv4", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "0.0.0.0", - "255.255.255.255" - ] - }, - "server": { - "ip": "255.255.255.255", - "port": 67 - }, - "source": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "status": "OK", - "type": "dhcpv4" -} -``` - -### DNS - -The DNS protocol supports processing DNS messages on TCP and UDP. - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `include_authorities` - -If this option is enabled, dns.authority fields (authority resource -records) are added to DNS events. The default is false. - -#### `include_additionals` - -If this option is enabled, dns.additionals fields (additional resource -records) are added to DNS events. The default is false. - -Fields published for DNS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dns.additionals | An array containing a dictionary for each additional section from the answer. | object | -| dns.additionals.class | The class of DNS data contained in this resource record. | keyword | -| dns.additionals.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.additionals.name | The domain name to which this resource record pertains. | keyword | -| dns.additionals.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.additionals.type | The type of data contained in this resource record. | keyword | -| dns.additionals_count | The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat. | long | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.answers_count | The number of resource records contained in the `dns.answers` field. | long | -| dns.authorities | An array containing a dictionary for each authority section from the answer. | object | -| dns.authorities.class | The class of DNS data contained in this resource record. | keyword | -| dns.authorities.name | The domain name to which this resource record pertains. | keyword | -| dns.authorities.type | The type of data contained in this resource record. | keyword | -| dns.authorities_count | The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat. | long | -| dns.flags.authentic_data | A DNS flag specifying that the recursive server considers the response authentic. | boolean | -| dns.flags.authoritative | A DNS flag specifying that the responding server is an authority for the domain name used in the question. | boolean | -| dns.flags.checking_disabled | A DNS flag specifying that the client disables the server signature validation of the query. | boolean | -| dns.flags.recursion_available | A DNS flag specifying whether recursive query support is available in the name server. | boolean | -| dns.flags.recursion_desired | A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional. | boolean | -| dns.flags.truncated_response | A DNS flag specifying that only the first 512 bytes of the reply were returned. | boolean | -| dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | -| dns.opt.do | If set, the transaction uses DNSSEC. | boolean | -| dns.opt.ext_rcode | Extended response code field. | keyword | -| dns.opt.udp_size | Requestor's UDP payload size (in bytes). | long | -| dns.opt.version | The EDNS version. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.etld_plus_one | The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:48:42.751Z", - "agent": { - "ephemeral_id": "1d099984-2551-49e1-9e6a-c1dff964be0f", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "data_stream": { - "dataset": "network_traffic.dns", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "dns": { - "additionals_count": 0, - "answers": [ - { - "class": "IN", - "data": "ns-1183.awsdns-19.org", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-2007.awsdns-58.co.uk", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-66.awsdns-08.com", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-835.awsdns-40.net", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - } - ], - "answers_count": 4, - "authorities_count": 0, - "flags": { - "authentic_data": false, - "authoritative": false, - "checking_disabled": false, - "recursion_available": true, - "recursion_desired": true, - "truncated_response": false - }, - "header_flags": [ - "RD", - "RA" - ], - "id": 26187, - "op_code": "QUERY", - "question": { - "class": "IN", - "etld_plus_one": "elastic.co", - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "NS" - }, - "response_code": "NOERROR", - "type": "answer" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dns", - "duration": 68515700, - "end": "2022-03-09T07:48:42.819Z", - "ingested": "2022-03-09T07:48:43Z", - "kind": "event", - "start": "2022-03-09T07:48:42.751Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "QUERY", - "network": { - "bytes": 195, - "community_id": "1:3P4ruI0bVlqxiTAs0WyBhnF74ek=", - "direction": "unknown", - "protocol": "dns", - "transport": "udp", - "type": "ipv4" - }, - "query": "class IN, type NS, elastic.co", - "related": { - "ip": [ - "192.168.238.68", - "8.8.8.8" - ] - }, - "resource": "elastic.co", - "server": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "source": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "status": "OK", - "type": "dns" -} -``` - -### HTTP - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `hide_keywords` - -A list of query parameters that Network Packet Capture will automatically censor in -the transactions that it saves. The values associated with these -parameters are replaced by `'xxxxx'`. By default, no changes are made to -the HTTP messages. - -Network Packet Capture has this option because, unlike SQL traffic, which typically -only contains the hashes of the passwords, HTTP traffic may contain -sensitive data. To reduce security risks, you can configure this option -to avoid sending the contents of certain HTTP POST parameters. - -This option replaces query parameters from GET requests and top-level -parameters from POST requests. If sensitive data is encoded inside a -parameter that you don’t specify here, Network Packet Capture cannot censor it. -Also, note that if you configure Network Packet Capture to save the raw request and -response fields (see the [`send_request`](#send-request-option) and -the [`send_response`](#send-response-option) options), sensitive data -may be present in those fields. - -#### `redact_authorization` - -When this option is enabled, Network Packet Capture obscures the value of -`Authorization` and `Proxy-Authorization` HTTP headers, and censors -those strings in the response. - -You should set this option to true for transactions that use Basic -Authentication because they may contain the base64 unencrypted username -and password. - -#### `send_headers` - -A list of header names to capture and send to Elasticsearch. These -headers are placed under the `headers` dictionary in the resulting JSON. - -#### `send_all_headers` - -Instead of sending a white list of headers to Elasticsearch, you can -send all headers by setting this option to true. The default is false. - -#### `redact_headers` - -A list of headers to redact if present in the HTTP request. This will -keep the header field present, but will redact it’s value to show the -header’s presence. - -#### `include_body_for` - -The list of content types for which Network Packet Capture exports the full HTTP -payload. The HTTP body is available under `http.request.body.content` -and `http.response.body.content` for these Content-Types. - -In addition, if [`send_response`](#send-response-option) option is -enabled, then the HTTP body is exported together with the HTTP headers -under `response` and if [`send_request`](#send-request-option) -enabled, then `request` contains the entire HTTP message including the -body. - -In the following example, the HTML attachments of the HTTP responses are -exported under the `response` field and under -`http.request.body.content` or `http.response.body.content`: - - Network Packet Capture.protocols: - - type: http - ports: [80, 8080] - send_response: true - include_body_for: ["text/html"] - -#### `decode_body` - -A boolean flag that controls decoding of HTTP payload. It interprets the -`Content-Encoding` and `Transfer-Encoding` headers and uncompresses the -entity body. Supported encodings are `gzip` and `deflate`. This option -is only applicable in the cases where the HTTP payload is exported, that -is, when one of the `include_*_body_for` options is specified or a POST -request contains url-encoded parameters. - -#### `split_cookie` - -If the `Cookie` or `Set-Cookie` headers are sent, this option controls -whether they are split into individual values. For example, with this -option set, an HTTP response might result in the following JSON: - - "response": { - "code": 200, - "headers": { - "connection": "close", - "content-language": "en", - "content-type": "text/html; charset=utf-8", - "date": "Fri, 21 Nov 2014 17:07:34 GMT", - "server": "gunicorn/19.1.1", - "set-cookie": { - "csrftoken": "S9ZuJF8mvIMT5CL4T1Xqn32wkA6ZSeyf", - "expires": "Fri, 20-Nov-2015 17:07:34 GMT", - "max-age": "31449600", - "path": "/" - }, - "vary": "Cookie, Accept-Language" - }, - "status_phrase": "OK" - } - -- Note that `set-cookie` is a map containing the cookie names as keys. - -The default is false. - -#### `real_ip_header` - -The header field to extract the real IP from. This setting is useful -when you want to capture traffic behind a reverse proxy, but you want to -get the geo-location information. If this header is present and contains -a valid IP addresses, the information is used for the -`network.forwarded_ip` field. - -#### `max_message_size` - -If an individual HTTP message is larger than this setting (in bytes), it -will be trimmed to this size. Unless this value is very small -(<1.5K), Network Packet Capture is able to still correctly follow the transaction -and create an event for it. The default is 10485760 (10 MB). - -Fields published for HTTP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.headers | A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. | flattened | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.headers | A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. | flattened | -| http.response.status_code | HTTP response status code. | long | -| http.response.status_phrase | The HTTP status phrase. | keyword | -| http.version | HTTP version. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -An example event for `http` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:54:42.031Z", - "agent": { - "ephemeral_id": "822947c0-15fd-4278-ba0d-2cc64d687bb2", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "data_stream": { - "dataset": "network_traffic.http", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.http", - "duration": 141490400, - "end": "2022-03-09T07:54:42.172Z", - "ingested": "2022-03-09T07:54:43Z", - "kind": "event", - "start": "2022-03-09T07:54:42.031Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "http": { - "request": { - "body": { - "bytes": 55 - }, - "bytes": 211, - "headers": { - "content-length": 55, - "content-type": "application/x-www-form-urlencoded" - }, - "method": "POST" - }, - "response": { - "body": { - "bytes": 8936 - }, - "bytes": 9108, - "headers": { - "content-length": 8936, - "content-type": "text/html; charset=utf-8" - }, - "status_code": 404, - "status_phrase": "not found" - }, - "version": "1.1" - }, - "method": "POST", - "network": { - "bytes": 9319, - "community_id": "1:LREAuuDqOAxXEbzF064U0QX5FBs=", - "direction": "unknown", - "protocol": "http", - "transport": "tcp", - "type": "ipv4" - }, - "query": "POST /register", - "related": { - "hosts": [ - "packetbeat.com" - ], - "ip": [ - "192.168.238.50", - "107.170.1.22" - ] - }, - "server": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "source": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "status": "Error", - "type": "http", - "url": { - "domain": "packetbeat.com", - "full": "http://packetbeat.com/register?address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "path": "/register", - "query": "address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "scheme": "http" - }, - "user_agent": { - "original": "curl/7.37.1" - } -} -``` - -### ICMP - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -**`enabled`** - -The ICMP protocol can be enabled/disabled via this option. The default -is true. - -If enabled Network Packet Capture will generate the following BPF filter: -`"icmp or icmp6"`. -Fields published for ICMP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| icmp.request.code | The request code. | long | -| icmp.request.message | A human readable form of the request. | keyword | -| icmp.request.type | The request type. | long | -| icmp.response.code | The response code. | long | -| icmp.response.message | A human readable form of the response. | keyword | -| icmp.response.type | The response type. | long | -| icmp.version | The version of the ICMP protocol. | long | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `icmp` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:57:32.766Z", - "agent": { - "ephemeral_id": "34e079a4-8dee-40db-a820-2296c225fbbe", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 4, - "ip": "::1" - }, - "data_stream": { - "dataset": "network_traffic.icmp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 4, - "ip": "::2" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.icmp", - "duration": 13336600, - "end": "2022-03-09T07:57:32.779Z", - "ingested": "2022-03-09T07:57:36Z", - "kind": "event", - "start": "2022-03-09T07:57:32.766Z", - "type": [ - "connection" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "icmp": { - "request": { - "code": 0, - "message": "EchoRequest", - "type": 128 - }, - "response": { - "code": 0, - "message": "EchoReply", - "type": 129 - }, - "version": 6 - }, - "network": { - "bytes": 8, - "community_id": "1:9UpHcZHFAOl8WqZVOs5YRQ5wDGE=", - "direction": "egress", - "transport": "ipv6-icmp", - "type": "ipv6" - }, - "path": "::2", - "related": { - "ip": [ - "::1", - "::2" - ] - }, - "server": { - "bytes": 4, - "ip": "::2" - }, - "source": { - "bytes": 4, - "ip": "::1" - }, - "status": "OK", - "type": "icmp" -} -``` - -### Memcached - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `parseunknown` - -When this option is enabled, it forces the memcache text protocol parser -to accept unknown commands. - -The unknown commands MUST NOT contain a data part. - -#### `maxvalues` - -The maximum number of values to store in the message (multi-get). All -values will be base64 encoded. - -The possible settings for this option are: - -- `maxvalue: -1`, which stores all values (text based protocol multi-get) -- `maxvalue: 0`, which stores no values (default) -- `maxvalue: N`, which stores up to N values - -#### `maxbytespervalue` - -The maximum number of bytes to be copied for each value element. - -Values will be base64 encoded, so the actual size in the JSON document -will be 4 times the value that you specify for `maxbytespervalue`. - -#### `udptransactiontimeout` - -The transaction timeout in milliseconds. The defaults is 10000 -milliseconds. - -Quiet messages in UDP binary protocol get responses only if there is an -error. The memcache protocol analyzer will wait for the number of -milliseconds specified by `udptransactiontimeout` before publishing -quiet messages. Non-quiet messages or quiet requests with an error -response are published immediately. - -Fields published for Memcached packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| memcache.protocol_type | The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. | keyword | -| memcache.request.automove | The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. | keyword | -| memcache.request.bytes | The byte count of the values being transferred. | long | -| memcache.request.cas_unique | The CAS (compare-and-swap) identifier if present. | long | -| memcache.request.command | The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. | keyword | -| memcache.request.count_values | The number of values found in the memcache request message. If the command does not send any data, this field is missing. | long | -| memcache.request.delta | The counter increment/decrement delta value. | long | -| memcache.request.dest_class | The destination class id in 'slab reassign' command. | long | -| memcache.request.exptime | The data expiry time in seconds sent with the memcache command (if present). If the value is `\< 30` days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). | long | -| memcache.request.flags | The memcache command flags sent in the request (if present). | long | -| memcache.request.initial | The counter increment/decrement initial value parameter (binary protocol only). | long | -| memcache.request.keys | The list of keys sent in the store or load commands. | array | -| memcache.request.line | The raw command line for unknown commands ONLY. | keyword | -| memcache.request.noreply | Set to true if noreply was set in the request. The `memcache.response` field will be missing. | boolean | -| memcache.request.opaque | The binary protocol opaque header value used for correlating request with response messages. | long | -| memcache.request.opcode | The binary protocol message opcode name. | keyword | -| memcache.request.opcode_value | The binary protocol message opcode value. | long | -| memcache.request.quiet | Set to true if the binary protocol message is to be treated as a quiet message. | boolean | -| memcache.request.raw_args | The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. | keyword | -| memcache.request.sleep_us | The sleep setting in microseconds for the 'lru_crawler sleep' command. | long | -| memcache.request.source_class | The source class id in 'slab reassign' command. | long | -| memcache.request.type | The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". | keyword | -| memcache.request.values | The list of base64 encoded values sent with the request (if present). | array | -| memcache.request.vbucket | The vbucket index sent in the binary message. | long | -| memcache.request.verbosity | The value of the memcache "verbosity" command. | long | -| memcache.response.bytes | The byte count of the values being transferred. | long | -| memcache.response.cas_unique | The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). | long | -| memcache.response.command | Either the text based protocol response message type or the name of the originating request if binary protocol is used. | keyword | -| memcache.response.count_values | The number of values found in the memcache response message. If the command does not send any data, this field is missing. | long | -| memcache.response.error_msg | The optional error message in the memcache response (text based protocol only). | keyword | -| memcache.response.flags | The memcache message flags sent in the response (if present). | long | -| memcache.response.keys | The list of keys returned for the load command (if present). | array | -| memcache.response.opaque | The binary protocol opaque header value used for correlating request with response messages. | long | -| memcache.response.opcode | The binary protocol message opcode name. | keyword | -| memcache.response.opcode_value | The binary protocol message opcode value. | long | -| memcache.response.stats | The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". | array | -| memcache.response.status | The textual representation of the response error code (binary protocol only). | keyword | -| memcache.response.status_code | The status code value returned in the response (binary protocol only). | long | -| memcache.response.type | The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). | keyword | -| memcache.response.value | The counter value returned by a counter operation. | long | -| memcache.response.values | The list of base64 encoded values sent with the response (if present). | array | -| memcache.response.version | The returned memcache version string. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `memcached` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:09:26.564Z", - "agent": { - "ephemeral_id": "53c3aab1-4c1d-4f33-87a9-1d1d4ce75205", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.188.37", - "port": 65195 - }, - "data_stream": { - "dataset": "network_traffic.memcached", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.memcached", - "ingested": "2022-03-09T08:09:37Z", - "kind": "event", - "start": "2022-03-09T08:09:26.564Z", - "type": [ - "connection", - "protocol" - ] - }, - "event.action": "memcache.store", - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "memcache": { - "protocol_type": "binary", - "request": { - "bytes": 1024, - "command": "set", - "count_values": 1, - "exptime": 0, - "flags": 0, - "keys": [ - "test_key" - ], - "opaque": 65536, - "opcode": "SetQ", - "opcode_value": 17, - "quiet": true, - "type": "Store", - "vbucket": 0 - } - }, - "network": { - "bytes": 1064, - "community_id": "1:QMbWqXK5vGDDbp48SEFuFe8Z1lQ=", - "direction": "unknown", - "protocol": "memcache", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.188.37", - "192.168.188.38" - ] - }, - "server": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "source": { - "ip": "192.168.188.37", - "port": 65195 - }, - "status": "OK", - "type": "memcache" -} -``` - -### MongoDB - -**Configuration options** - -The `max_docs` and `max_doc_length` settings are useful for limiting the -amount of data Network Packet Capture indexes in the `response` fields. - -Also see [Common protocol options](#common-protocol-options). - -#### `max_docs` - -The maximum number of documents from the response to index in the -`response` field. The default is 10. You can set this to 0 to index an -unlimited number of documents. - -Network Packet Capture adds a `[...]` line at the end to signify that there were -additional documents that weren’t saved because of this setting. - -#### `max_doc_length` - -The maximum number of characters in a single document indexed in the -`response` field. The default is 5000. You can set this to 0 to index an -unlimited number of characters per document. - -If the document is trimmed because of this setting, Network Packet Capture adds the -string `...` at the end of the document. - -Note that limiting documents in this way means that they are no longer -correctly formatted JSON objects. - -Fields published for MongoDB packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| mongodb.cursorId | The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. | keyword | -| mongodb.error | If the MongoDB request has resulted in an error, this field contains the error message returned by the server. | keyword | -| mongodb.fullCollectionName | The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. | keyword | -| mongodb.numberReturned | The number of documents in the reply. | long | -| mongodb.numberToReturn | The requested maximum number of documents to be returned. | long | -| mongodb.numberToSkip | Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. | long | -| mongodb.query | A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. | keyword | -| mongodb.returnFieldsSelector | A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. | keyword | -| mongodb.selector | A BSON document that specifies the query for selecting the document to update or delete. | keyword | -| mongodb.startingFrom | Where in the cursor this reply is starting. | keyword | -| mongodb.update | A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `mongodb` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:15:48.570Z", - "agent": { - "ephemeral_id": "fafaeb02-c623-46a0-a3e0-72e035bd12ba", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "data_stream": { - "dataset": "network_traffic.mongodb", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mongodb", - "duration": 1365900, - "end": "2022-03-09T08:15:48.571Z", - "ingested": "2022-03-09T08:15:49Z", - "kind": "event", - "start": "2022-03-09T08:15:48.570Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "find", - "mongodb": { - "cursorId": 0, - "fullCollectionName": "test.restaurants", - "numberReturned": 1, - "numberToReturn": 1, - "numberToSkip": 0, - "startingFrom": 0 - }, - "network": { - "bytes": 564, - "community_id": "1:mYSTZ4QZBfvJO05Em9TnPwrae6g=", - "direction": "ingress", - "protocol": "mongodb", - "transport": "tcp", - "type": "ipv4" - }, - "query": "test.restaurants.find().limit(1)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "test.restaurants", - "server": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "source": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "status": "OK", - "type": "mongodb" -} -``` - -### MySQL - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `max_rows` - -The maximum number of rows from the SQL message to publish to -Elasticsearch. The default is 10 rows. - -#### `max_row_length` - -The maximum length in bytes of a row from the SQL message to publish to -Elasticsearch. The default is 1024 bytes. - -### `statement_timeout` - -The duration for which prepared statements are cached after their last -use. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The -default is `1h`. - -Fields published for MySQL packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| mysql.affected_rows | If the MySQL command is successful, this field contains the affected number of rows of the last statement. | long | -| mysql.error_code | The error code returned by MySQL. | long | -| mysql.error_message | The error info message returned by MySQL. | keyword | -| mysql.insert_id | If the INSERT query is successful, this field contains the id of the newly inserted row. | keyword | -| mysql.num_fields | If the SELECT query is successful, this field is set to the number of fields returned. | long | -| mysql.num_rows | If the SELECT query is successful, this field is set to the number of rows returned. | long | -| mysql.query | The row mysql query as read from the transaction's request. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `mysql` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:20:44.667Z", - "agent": { - "ephemeral_id": "43167926-7ebd-4acd-8216-daf3664fe286", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "data_stream": { - "dataset": "network_traffic.mysql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mysql", - "duration": 5532500, - "end": "2022-03-09T08:20:44.673Z", - "ingested": "2022-03-09T08:20:45Z", - "kind": "event", - "start": "2022-03-09T08:20:44.667Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "mysql": { - "affected_rows": 0, - "insert_id": 0, - "num_fields": 3, - "num_rows": 15 - }, - "network": { - "bytes": 3652, - "community_id": "1:goIcZn7CMIJ6W7Yf8JRV618zzxA=", - "direction": "ingress", - "protocol": "mysql", - "transport": "tcp", - "type": "ipv4" - }, - "path": "test.test", - "query": "select * from test", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "source": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "status": "OK", - "type": "mysql" -} -``` - -### NFS - -**Configuration options** - -See [Common protocol options](#common-protocol-options). - -Fields published for NFS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| nfs.minor_version | NFS protocol minor version number. | long | -| nfs.opcode | NFS operation name, or main operation name, in case of COMPOUND calls. | keyword | -| nfs.status | NFS operation reply status. | keyword | -| nfs.tag | NFS v4 COMPOUND operation tag. | keyword | -| nfs.version | NFS protocol version number. | long | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| rpc.auth_flavor | RPC authentication flavor. | keyword | -| rpc.cred.gid | RPC caller's group id, in case of auth-unix. | long | -| rpc.cred.gids | RPC caller's secondary group ids, in case of auth-unix. | long | -| rpc.cred.machinename | The name of the caller's machine. | keyword | -| rpc.cred.stamp | Arbitrary ID which the caller machine may generate. | long | -| rpc.cred.uid | RPC caller's user id, in case of auth-unix. | long | -| rpc.status | RPC message reply status. | keyword | -| rpc.xid | RPC message transaction identifier. | keyword | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| user.id | Unique identifier of the user. | keyword | - - -An example event for `nfs` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:24:00.569Z", - "agent": { - "ephemeral_id": "62904593-11a1-4706-8487-78b14fb72c08", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "data_stream": { - "dataset": "network_traffic.nfs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "nfs.CLOSE", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.nfs", - "duration": 6573500, - "end": "2022-03-09T08:24:00.575Z", - "ingested": "2022-03-09T08:24:01Z", - "kind": "event", - "start": "2022-03-09T08:24:00.569Z", - "type": [ - "connection", - "protocol" - ] - }, - "group.id": 48, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "host.hostname": "desycloud03.desy.de", - "network": { - "bytes": 384, - "community_id": "1:cd5eLXemAsSPMdXwCbdDUWWud4M=", - "direction": "unknown", - "protocol": "nfsv4", - "transport": "tcp", - "type": "ipv4" - }, - "nfs": { - "minor_version": 1, - "opcode": "CLOSE", - "status": "NFS_OK", - "tag": "", - "version": 4 - }, - "related": { - "ip": [ - "131.169.5.156", - "131.169.192.35" - ] - }, - "rpc": { - "auth_flavor": "unix", - "cred": { - "gid": 48, - "gids": [ - 48 - ], - "machinename": "desycloud03.desy.de", - "stamp": 4308441, - "uid": 48 - }, - "status": "success", - "xid": "c3103fc1" - }, - "server": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "source": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "status": "OK", - "type": "nfs", - "user.id": 48 -} -``` - -### PostgreSQL - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `max_rows` - -The maximum number of rows from the SQL message to publish to -Elasticsearch. The default is 10 rows. - -#### `max_row_length` - -The maximum length in bytes of a row from the SQL message to publish to -Elasticsearch. The default is 1024 bytes. - -Fields published for PostgreSQL packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| pgsql.error_code | The PostgreSQL error code. | keyword | -| pgsql.error_message | The PostgreSQL error message. | keyword | -| pgsql.error_severity | The PostgreSQL error severity. | keyword | -| pgsql.num_fields | If the SELECT query if successful, this field is set to the number of fields returned. | long | -| pgsql.num_rows | If the SELECT query if successful, this field is set to the number of rows returned. | long | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `pgsql` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:29:39.675Z", - "agent": { - "ephemeral_id": "1e05998c-1d97-426b-8d9e-f5f92c446612", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "data_stream": { - "dataset": "network_traffic.pgsql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.pgsql", - "duration": 2568100, - "end": "2022-03-09T08:29:39.678Z", - "ingested": "2022-03-09T08:29:40Z", - "kind": "event", - "start": "2022-03-09T08:29:39.675Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "network": { - "bytes": 3220, - "community_id": "1:WUuTzESSpZnUwZ2tuZKZtNOdHSU=", - "direction": "ingress", - "protocol": "pgsql", - "transport": "tcp", - "type": "ipv4" - }, - "pgsql": { - "num_fields": 3, - "num_rows": 15 - }, - "query": "select * from long_response", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "source": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "status": "OK", - "type": "pgsql" -} -``` - -### Redis - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `queue_max_bytes` and `queue_max_messages` - -store requests in memory until a response is received. These settings -impose a limit on the number of bytes (`queue_max_bytes`) and number of -requests (`queue_max_messages`) that can be stored. These limits are -per-connection. The default is to queue up to 1MB or 20.000 requests per -connection, which allows to use request pipelining while at the same -time limiting the amount of memory consumed by replication sessions. - -Fields published for Redis packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| redis.error | If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. | keyword | -| redis.return_value | The return value of the Redis command in a human readable format. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `redis` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:30:57.254Z", - "agent": { - "ephemeral_id": "b68277a8-8012-4ada-bbdd-6ce88a51c5ce", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "data_stream": { - "dataset": "network_traffic.redis", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "redis.set", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.redis", - "duration": 1421600, - "end": "2022-03-09T08:30:57.256Z", - "ingested": "2022-03-09T08:30:58Z", - "kind": "event", - "start": "2022-03-09T08:30:57.254Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SET", - "network": { - "bytes": 36, - "community_id": "1:GuHlyWpX6bKkMXy19YkvZSNPTS4=", - "direction": "ingress", - "protocol": "redis", - "transport": "tcp", - "type": "ipv4" - }, - "query": "set key3 me", - "redis": { - "return_value": "OK" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "key3", - "server": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "source": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "status": "OK", - "type": "redis" -} -``` - -### SIP - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `parse_authorization` - -If set to true Network Packet Capture will parse the authorization headers -and include them in events. The default is true. - -#### `parse_body` - -If set to true, Network Packet Capture parses the SIP body when the body -contains Session Description Protocol data. The default is true. - -Fields published for SIP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| sip.accept | Accept header value. | keyword | -| sip.allow | Allowed methods. | keyword | -| sip.auth.realm | Auth realm | keyword | -| sip.auth.scheme | Auth scheme | keyword | -| sip.auth.uri.host | Auth URI host | keyword | -| sip.auth.uri.original | Auth original URI | keyword | -| sip.auth.uri.original.text | Multi-field of `sip.auth.uri.original`. | text | -| sip.auth.uri.port | Auth URI port | long | -| sip.auth.uri.scheme | Auth URI scheme | keyword | -| sip.call_id | Call ID. | keyword | -| sip.code | Response status code. | long | -| sip.contact.display_info | Contact display info | keyword | -| sip.contact.expires | Contact expires | keyword | -| sip.contact.line | Contact line | keyword | -| sip.contact.q | Contact Q | keyword | -| sip.contact.transport | Contact transport | keyword | -| sip.contact.uri.host | Contact URI host | keyword | -| sip.contact.uri.original | Contact original URI | keyword | -| sip.contact.uri.original.text | Multi-field of `sip.contact.uri.original`. | text | -| sip.contact.uri.port | Contact URI port | long | -| sip.contact.uri.scheme | Contat URI scheme | keyword | -| sip.contact.uri.username | Contact URI user name | keyword | -| sip.content_length | | long | -| sip.content_type | | keyword | -| sip.cseq.code | Sequence code. | long | -| sip.cseq.method | Sequence method. | keyword | -| sip.from.display_info | From display info | keyword | -| sip.from.tag | From tag | keyword | -| sip.from.uri.host | From URI host | keyword | -| sip.from.uri.original | From original URI | keyword | -| sip.from.uri.original.text | Multi-field of `sip.from.uri.original`. | text | -| sip.from.uri.port | From URI port | long | -| sip.from.uri.scheme | From URI scheme | keyword | -| sip.from.uri.username | From URI user name | keyword | -| sip.max_forwards | | long | -| sip.method | Request method. | keyword | -| sip.private.uri.host | Private URI host. | keyword | -| sip.private.uri.original | Private original URI. | keyword | -| sip.private.uri.original.text | Multi-field of `sip.private.uri.original`. | text | -| sip.private.uri.port | Private URI port. | long | -| sip.private.uri.scheme | Private URI scheme. | keyword | -| sip.private.uri.username | Private URI user name. | keyword | -| sip.sdp.body.original | SDP original body | keyword | -| sip.sdp.body.original.text | Multi-field of `sip.sdp.body.original`. | text | -| sip.sdp.connection.address | SDP connection address | keyword | -| sip.sdp.connection.info | SDP connection info | keyword | -| sip.sdp.owner.ip | SDP owner IP | ip | -| sip.sdp.owner.session_id | SDP owner session ID | keyword | -| sip.sdp.owner.username | SDP owner user name | keyword | -| sip.sdp.owner.version | SDP owner version | keyword | -| sip.sdp.session.name | SDP session name | keyword | -| sip.sdp.version | SDP version | keyword | -| sip.status | Response status phrase. | keyword | -| sip.supported | Supported methods. | keyword | -| sip.to.display_info | To display info | keyword | -| sip.to.tag | To tag | keyword | -| sip.to.uri.host | To URI host | keyword | -| sip.to.uri.original | To original URI | keyword | -| sip.to.uri.original.text | Multi-field of `sip.to.uri.original`. | text | -| sip.to.uri.port | To URI port | long | -| sip.to.uri.scheme | To URI scheme | keyword | -| sip.to.uri.username | To URI user name | keyword | -| sip.type | Either request or response. | keyword | -| sip.uri.host | The URI host. | keyword | -| sip.uri.original | The original URI. | keyword | -| sip.uri.original.text | Multi-field of `sip.uri.original`. | text | -| sip.uri.port | The URI port. | long | -| sip.uri.scheme | The URI scheme. | keyword | -| sip.uri.username | The URI user name. | keyword | -| sip.user_agent.original | | keyword | -| sip.user_agent.original.text | Multi-field of `sip.user_agent.original`. | text | -| sip.version | SIP protocol version. | keyword | -| sip.via.original | The original Via value. | keyword | -| sip.via.original.text | Multi-field of `sip.via.original`. | text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -An example event for `sip` looks as following: - -```json -{ - "@timestamp": "2022-05-13T07:10:35.715Z", - "agent": { - "ephemeral_id": "008322ce-0d84-45f0-beaf-153cf4786013", - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "10.0.2.20", - "port": 5060 - }, - "data_stream": { - "dataset": "network_traffic.sip", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.2.15", - "port": 5060 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "sip-invite", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.sip", - "duration": 0, - "end": "2022-05-13T07:10:35.715Z", - "ingested": "2022-05-13T07:10:39Z", - "kind": "event", - "original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" \u003csip:sipp@10.0.2.20:5060\u003e;tag=1\r\nTo: test \u003csip:test@10.0.2.15:5060\u003e\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 123\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n", - "sequence": 1, - "start": "2022-05-13T07:10:35.715Z", - "type": [ - "info" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "172.31.0.7" - ], - "mac": [ - "02-42-AC-1F-00-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "application": "sip", - "community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", - "direction": "unknown", - "iana_number": "17", - "protocol": "sip", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "hosts": [ - "10.0.2.15", - "10.0.2.20" - ], - "ip": [ - "10.0.2.20", - "10.0.2.15" - ], - "user": [ - "test", - "sipp" - ] - }, - "server": { - "ip": "10.0.2.15", - "port": 5060 - }, - "sip": { - "call_id": "1-2187@10.0.2.20", - "contact": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "content_length": 123, - "content_type": "application/sdp", - "cseq": { - "code": 1, - "method": "INVITE" - }, - "from": { - "display_info": "DVI4/8000", - "tag": "1", - "uri": { - "host": "10.0.2.20", - "original": "sip:sipp@10.0.2.20:5060", - "port": 5060, - "scheme": "sip", - "username": "sipp" - } - }, - "max_forwards": 70, - "method": "INVITE", - "sdp": { - "body": { - "original": "v=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n" - }, - "connection": { - "address": "10.0.2.20", - "info": "IN IP4 10.0.2.20" - }, - "owner": { - "ip": "10.0.2.20", - "session_id": "42", - "version": "42" - }, - "version": "0" - }, - "to": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "type": "request", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - }, - "version": "2.0", - "via": { - "original": [ - "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0" - ] - } - }, - "source": { - "ip": "10.0.2.20", - "port": 5060 - }, - "status": "OK", - "type": "sip" -} -``` - -### Thrift - -[Apache Thrift](https://thrift.apache.org/) is a communication protocol -and RPC framework initially created at Facebook. It is sometimes used in -[microservices](http://martinfowler.com/articles/microservices.html) -architectures because it provides better performance when compared to -the more obvious HTTP/RESTful API choice, while still supporting a wide -range of programming languages and frameworks. - -Network Packet Capture works based on a copy of the traffic, which means that you -get performance management features without having to modify your -services in any way and without any latency overhead. Network Packet Capture -captures the transactions from the network and indexes them in -Elasticsearch so that they can be analyzed and searched. - -Network Packet Capture indexes the method, parameters, return value, and exceptions -of each Thrift-RPC call. You can search by and create statistics based -on any of these fields. Network Packet Capture automatically fills in the `status` -column with either `OK` or `Error`, so it’s easy to find the problematic -RPC calls. A transaction is put into the `Error` state if it returned an -exception. - -Network Packet Capture also indexes the `event.duration` field so you can get -performance analytics and find the slow RPC calls. - -Thrift supports multiple [transport and protocol -types](http://en.wikipedia.org/wiki/Apache_Thrift). Currently Network Packet Capture -supports the default `TSocket` transport as well as the `TFramed` -transport. From the protocol point of view, Network Packet Capture currently -supports only the default `TBinary` protocol. - -Network Packet Capture also has several configuration options that allow you to get -the right balance between visibility, disk usage, and data protection. -You can, for example, choose to obfuscate all strings or to store the -requests but not the responses, while still capturing the response time -for each of the RPC calls. You can also choose to limit the size of -strings and lists to a given number of elements, so you can fine tune -how much data you want to have stored in Elasticsearch. - -The Thrift protocol has several specific configuration options. - -Providing the Thrift IDL files to Network Packet Capture is optional. The binary -Thrift messages include the called method name and enough structural -information to decode the messages without needing the IDL files. -However, if you provide the IDL files, Network Packet Capture can also resolve the -service name, arguments, and exception names. - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `transport_type` - -The Thrift transport type. Currently this option accepts the values -`socket` for TSocket, which is the default Thrift transport, and -`framed` for the TFramed Thrift transport. The default is `socket`. - -#### `protocol_type` - -The Thrift protocol type. Currently the only accepted value is `binary` -for the TBinary protocol, which is the default Thrift protocol. - -#### `idl_files` - -The Thrift interface description language (IDL) files for the service -that Network Packet Capture is monitoring. Providing the IDL files is optional, -because the Thrift messages contain enough information to decode them -without having the IDL files. However, providing the IDL enables -Network Packet Capture to include parameter and exception names. - -#### `string_max_size` - -The maximum length for strings in parameters or return values. If a -string is longer than this value, the string is automatically truncated -to this length. Network Packet Capture adds dots at the end of the string to mark -that it was truncated. The default is 200. - -#### `collection_max_size` - -The maximum number of elements in a Thrift list, set, map, or structure. -If a collection has more elements than this value, Network Packet Capture captures -only the specified number of elements. Network Packet Capture adds a fictive last -element `...` to the end of the collection to mark that it was -truncated. The default is 15. - -#### `capture_reply` - -If this option is set to false, Network Packet Capture decodes the method name from -the reply and simply skips the rest of the response message. This -setting can be useful for performance, disk usage, or data retention -reasons. The default is true. - -#### `obfuscate_strings` - -If this option is set to true, Network Packet Capture replaces all strings found in -method parameters, return codes, or exception structures with the `"*"` -string. - -#### `drop_after_n_struct_fields` - -The maximum number of fields that a structure can have before Network Packet Capture -ignores the whole transaction. This is a memory protection mechanism (so -that Network Packet Capture’s memory doesn’t grow indefinitely), so you would -typically set this to a relatively high value. The default is 500. - -Fields published for Thrift packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| thrift.exceptions | If the call resulted in exceptions, this field contains the exceptions in a human readable format. | keyword | -| thrift.params | The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. | keyword | -| thrift.return_value | The value returned by the Thrift-RPC call. This is encoded in a human readable format. | keyword | -| thrift.service | The name of the Thrift-RPC service as defined in the IDL files. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `thrift` looks as following: - -```json -{ - "@timestamp": "2022-05-23T10:59:35.668Z", - "agent": { - "ephemeral_id": "016dcea4-c82a-4499-9069-e4e0ff6d04ff", - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "data_stream": { - "dataset": "network_traffic.thrift", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.thrift", - "duration": 1275700, - "end": "2022-05-23T10:59:35.669Z", - "ingested": "2022-05-23T10:59:36Z", - "kind": "event", - "start": "2022-05-23T10:59:35.668Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.224.7" - ], - "mac": [ - "02-42-C0-A8-E0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "method": "testByte", - "network": { - "bytes": 50, - "community_id": "1:fs+HuhTN3hqKiWHtoK/DsQ0ni5Y=", - "direction": "ingress", - "protocol": "thrift", - "transport": "tcp", - "type": "ipv4" - }, - "path": "", - "query": "testByte(1: 63)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "status": "OK", - "thrift": { - "params": "(1: 63)", - "return_value": "63" - }, - "type": "thrift" -} -``` - -### TLS - -TLS is a cryptographic protocol that provides secure communications on -top of an existing application protocol, like HTTP or MySQL. - -Network Packet Capture intercepts the initial handshake in a TLS connection and -extracts useful information that helps operators diagnose problems and -strengthen the security of their network and systems. It does not -decrypt any information from the encapsulated protocol, nor does it -reveal any sensitive information such as cryptographic keys. TLS -versions 1.0 to 1.3 are supported. - -It works by intercepting the client and server "hello" messages, which -contain the negotiated parameters for the connection such as -cryptographic ciphers and protocol versions. It can also intercept TLS -alerts, which are sent by one of the parties to signal a problem with -the negotiation, such as an expired certificate or a cryptographic -error. - -Detailed information that is not defined in ECS is added under the -`tls.detailed` key. The [`include_detailed_fields`](#include_detailed_fields) configuration flag -is used to control whether this information is exported. - -The fields under `tls.detailed.client_hello` contain the algorithms and -extensions supported by the client, as well as the maximum TLS version -it supports. - -Fields under `tls.detailed.server_hello` contain the final settings for -the TLS session: The selected cipher, compression method, TLS version to -use and other extensions such as application layer protocol negotiation -(ALPN). - -**Configuration options** - -The `send_certificates` and `include_detailed_fields` settings are -useful for limiting the amount of data Network Packet Capture indexes, as multiple -certificates are usually exchanged in a single transaction, and those -can take a considerable amount of storage. - -Also see [Common protocol options](#common-protocol-options). - -#### `send_certificates` - -This setting causes information about the certificates presented by the -client and server to be included in the detailed fields. The server’s -certificate is indexed under `tls.detailed.server_certificate` and its -certification chain under `tls.detailed.server_certificate_chain`. For -the client, the `client_certificate` and `client_certificate_chain` -fields are used. The default is true. - -#### `include_raw_certificates` - -You can set `include_raw_certificates` to include the raw certificate -chains encoded in PEM format, under the `tls.server.certificate_chain` -and `tls.client.certificate_chain` fields. The default is false. - -#### `include_detailed_fields` - -Controls whether the [https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-tls_detailed.html](#exported-fields-tls_detailed) are added to exported documents. When -set to false, only [ECS TLS](https://www.elastic.co/guide/en/ecs/8.2/ecs-tls.html) fields are included. -exported are included. The default is `true`. - -#### `fingerprints` - -Defines a list of hash algorithms to calculate the certificate’s -fingerprints. Valid values are `sha1`, `sha256` and `md5`. - -The default is to output SHA-1 fingerprints. - -Fields published for TLS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| tls.cipher | String indicating the cipher used during the current connection. | keyword | -| tls.client.certificate | PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. | keyword | -| tls.client.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. | keyword | -| tls.client.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | -| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | -| tls.client.not_after | Date/Time indicating when client certificate is no longer considered valid. | date | -| tls.client.not_before | Date/Time indicating when client certificate is first considered valid. | date | -| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | -| tls.client.subject | Distinguished name of subject of the x.509 certificate presented by the client. | keyword | -| tls.client.supported_ciphers | Array of ciphers offered by the client during the client hello. | keyword | -| tls.client.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| tls.client.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.country | List of country (C) codes | keyword | -| tls.client.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.locality | List of locality names (L) | keyword | -| tls.client.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.client.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.client.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.client.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| tls.client.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| tls.client.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| tls.client.x509.public_key_size | The size of the public key space in bits. | long | -| tls.client.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.client.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| tls.client.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.client.x509.subject.country | List of country (C) code | keyword | -| tls.client.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| tls.client.x509.subject.locality | List of locality names (L) | keyword | -| tls.client.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.client.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.client.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.client.x509.version_number | Version of x509 format. | keyword | -| tls.curve | String indicating the curve used for the given cipher, when applicable. | keyword | -| tls.detailed.alert_types | An array containing the TLS alert type for every alert received. | keyword | -| tls.detailed.client_certificate_chain | Chain of trust for the client certificate. | array | -| tls.detailed.client_certificate_requested | Whether the server has requested the client to authenticate itself using a client certificate. | boolean | -| tls.detailed.client_hello.extensions._unparsed_ | List of extensions that were left unparsed by Packetbeat. | keyword | -| tls.detailed.client_hello.extensions.application_layer_protocol_negotiation | List of application-layer protocols the client is willing to use. | keyword | -| tls.detailed.client_hello.extensions.ec_points_formats | List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse. | keyword | -| tls.detailed.client_hello.extensions.server_name_indication | List of hostnames | keyword | -| tls.detailed.client_hello.extensions.session_ticket | Length of the session ticket, if provided, or an empty string to advertise support for tickets. | keyword | -| tls.detailed.client_hello.extensions.signature_algorithms | List of signature algorithms that may be use in digital signatures. | keyword | -| tls.detailed.client_hello.extensions.status_request.request_extensions | The number of certificate extensions for the request. | short | -| tls.detailed.client_hello.extensions.status_request.responder_id_list_length | The length of the list of trusted responders. | short | -| tls.detailed.client_hello.extensions.status_request.type | The type of the status request. Always "ocsp" if present. | keyword | -| tls.detailed.client_hello.extensions.supported_groups | List of Elliptic Curve Cryptography (ECC) curve groups supported by the client. | keyword | -| tls.detailed.client_hello.extensions.supported_versions | List of TLS versions that the client is willing to use. | keyword | -| tls.detailed.client_hello.random | Random data used by the TLS protocol to generate the encryption key. | keyword | -| tls.detailed.client_hello.session_id | Unique number to identify the session for the corresponding connection with the client. | keyword | -| tls.detailed.client_hello.supported_compression_methods | The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml | keyword | -| tls.detailed.client_hello.version | The version of the TLS protocol by which the client wishes to communicate during this session. | keyword | -| tls.detailed.ocsp_response | The result of an OCSP request. | keyword | -| tls.detailed.resumption_method | If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension. | keyword | -| tls.detailed.server_certificate_chain | Chain of trust for the server certificate. | array | -| tls.detailed.server_hello.extensions._unparsed_ | List of extensions that were left unparsed by Packetbeat. | keyword | -| tls.detailed.server_hello.extensions.application_layer_protocol_negotiation | Negotiated application layer protocol | keyword | -| tls.detailed.server_hello.extensions.ec_points_formats | List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse. | keyword | -| tls.detailed.server_hello.extensions.session_ticket | Used to announce that a session ticket will be provided by the server. Always an empty string. | keyword | -| tls.detailed.server_hello.extensions.status_request.response | Whether a certificate status request response was made. | boolean | -| tls.detailed.server_hello.extensions.supported_versions | Negotiated TLS version to be used. | keyword | -| tls.detailed.server_hello.random | Random data used by the TLS protocol to generate the encryption key. | keyword | -| tls.detailed.server_hello.selected_compression_method | The compression method selected by the server from the list provided in the client hello. | keyword | -| tls.detailed.server_hello.session_id | Unique number to identify the session for the corresponding connection with the client. | keyword | -| tls.detailed.server_hello.version | The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello. | keyword | -| tls.detailed.version | The version of the TLS protocol used. | keyword | -| tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | -| tls.next_protocol | String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. | keyword | -| tls.resumed | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. | boolean | -| tls.server.certificate | PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. | keyword | -| tls.server.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. | keyword | -| tls.server.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | -| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | -| tls.server.not_after | Timestamp indicating when server certificate is no longer considered valid. | date | -| tls.server.not_before | Timestamp indicating when server certificate is first considered valid. | date | -| tls.server.subject | Subject of the x.509 certificate presented by the server. | keyword | -| tls.server.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.country | List of country (C) codes | keyword | -| tls.server.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.locality | List of locality names (L) | keyword | -| tls.server.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.server.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.server.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| tls.server.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| tls.server.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| tls.server.x509.public_key_size | The size of the public key space in bits. | long | -| tls.server.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.server.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.server.x509.subject.country | List of country (C) code | keyword | -| tls.server.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| tls.server.x509.subject.locality | List of locality names (L) | keyword | -| tls.server.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.server.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.server.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.version_number | Version of x509 format. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `tls` looks as following: - -```json -{ - "@timestamp": "2022-05-23T11:01:14.376Z", - "agent": { - "ephemeral_id": "d7d5fdf6-998d-488e-bfb7-176a86d6860d", - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "192.168.1.35", - "port": 59455 - }, - "data_stream": { - "dataset": "network_traffic.tls", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "domain": "example.net", - "ip": "93.184.216.34", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.tls", - "duration": 365887700, - "end": "2022-05-23T11:01:14.741Z", - "ingested": "2022-05-23T11:01:17Z", - "kind": "event", - "start": "2022-05-23T11:01:14.376Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.224.7" - ], - "mac": [ - "02-42-C0-A8-E0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "community_id": "1:fx1jENdlg6r3LIvBRG3wEboWbPY=", - "direction": "unknown", - "protocol": "tls", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.1.35", - "93.184.216.34" - ] - }, - "server": { - "domain": "example.net", - "ip": "93.184.216.34", - "port": 443 - }, - "source": { - "ip": "192.168.1.35", - "port": 59455 - }, - "status": "OK", - "tls": { - "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "client": { - "ja3": "e6573e91e6eb777c0933c5b8f97f10cd", - "server_name": "example.net", - "supported_ciphers": [ - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "(unknown:0xff85)", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_GOSTR341001_WITH_28147_CNT_IMIT", - "TLS_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_256_CBC_SHA256", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" - ] - }, - "detailed": { - "client_certificate_requested": false, - "client_hello": { - "extensions": { - "application_layer_protocol_negotiation": [ - "h2", - "http/1.1" - ], - "ec_points_formats": [ - "uncompressed" - ], - "server_name_indication": [ - "example.net" - ], - "signature_algorithms": [ - "rsa_pkcs1_sha512", - "ecdsa_secp521r1_sha512", - "(unknown:0xefef)", - "rsa_pkcs1_sha384", - "ecdsa_secp384r1_sha384", - "rsa_pkcs1_sha256", - "ecdsa_secp256r1_sha256", - "(unknown:0xeeee)", - "(unknown:0xeded)", - "(unknown:0x0301)", - "(unknown:0x0303)", - "rsa_pkcs1_sha1", - "ecdsa_sha1" - ], - "supported_groups": [ - "x25519", - "secp256r1", - "secp384r1" - ] - }, - "random": "d7c809b4ac3a60b62f53c9d9366ca89a703d25491ff2a246a89f32f945f7b42b", - "supported_compression_methods": [ - "NULL" - ], - "version": "3.3" - }, - "server_certificate_chain": [ - { - "issuer": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "not_after": "2023-03-08T12:00:00.000Z", - "not_before": "2013-03-08T12:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "2646203786665923649276728595390119057", - "signature_algorithm": "SHA256-RSA", - "subject": { - "common_name": "DigiCert SHA2 Secure Server CA", - "country": "US", - "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc" - }, - "version_number": 3 - }, - { - "issuer": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "not_after": "2031-11-10T00:00:00.000Z", - "not_before": "2006-11-10T00:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "10944719598952040374951832963794454346", - "signature_algorithm": "SHA1-RSA", - "subject": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "version_number": 3 - } - ], - "server_hello": { - "extensions": { - "_unparsed_": [ - "renegotiation_info", - "server_name_indication" - ], - "application_layer_protocol_negotiation": [ - "h2" - ], - "ec_points_formats": [ - "uncompressed", - "ansiX962_compressed_prime", - "ansiX962_compressed_char2" - ] - }, - "random": "d1fd553a5a270f08e09eda6690fb3c8f9884e9a9fe7949e9444f574e47524401", - "selected_compression_method": "NULL", - "session_id": "23bb2aed5d215e1228220b0a51d7aa220785e9e4b83b4f430229117971e9913f", - "version": "3.3" - }, - "version": "TLS 1.2" - }, - "established": true, - "next_protocol": "h2", - "resumed": false, - "server": { - "hash": { - "sha1": "7BB698386970363D2919CC5772846984FFD4A889" - }, - "issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "not_after": "2020-12-02T12:00:00.000Z", - "not_before": "2018-11-28T00:00:00.000Z", - "subject": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", - "x509": { - "alternative_names": [ - "www.example.org", - "example.com", - "example.edu", - "example.net", - "example.org", - "www.example.com", - "www.example.edu", - "www.example.net" - ], - "issuer": { - "common_name": "DigiCert SHA2 Secure Server CA", - "country": "US", - "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc" - }, - "not_after": "2020-12-02T12:00:00.000Z", - "not_before": "2018-11-28T00:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "21020869104500376438182461249190639870", - "signature_algorithm": "SHA256-RSA", - "subject": { - "common_name": "www.example.org", - "country": "US", - "distinguished_name": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", - "locality": "Los Angeles", - "organization": "Internet Corporation for Assigned Names and Numbers", - "organizational_unit": "Technology", - "state_or_province": "California" - }, - "version_number": "3" - } - }, - "version": "1.2", - "version_protocol": "tls" - }, - "type": "tls" -} -``` - -## Licensing for Windows Systems - -The Network Packet Capture Integration incorporates a bundled Npcap installation on Windows hosts. The installation is provided under an [OEM license](https://npcap.com/oem/redist.html) from Insecure.Com LLC ("The Nmap Project"). \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index 16f534dd5e..0000000000 --- a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "Overview of DNS request and response metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":13,\"x\":0,\"y\":15},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"7\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":11,\"x\":13,\"y\":15},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DNS Overview", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-65120940-1454-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-dns-query-summary", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-dns-request-status-over-time", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-dns-question-types", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-dns-top-10-questions", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-dns-response-codes", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json deleted file mode 100755 index 7562508a09..0000000000 --- a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "DHCPv4 Overview", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":7},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"3\",\"w\":11,\"x\":37,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"search\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"6\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"7\",\"w\":8,\"x\":16,\"y\":0},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"8\",\"w\":13,\"x\":24,\"y\":0},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DHCPv4", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "5:panel_5", - "type": "search" - }, - { - "id": "network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb", - "name": "8:panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-cassandra.json b/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-cassandra.json deleted file mode 100755 index 489417c609..0000000000 --- a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-cassandra.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":12,\"x\":36,\"y\":8},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":12,\"x\":24,\"y\":8},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":12,\"x\":12,\"y\":8},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"17\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"18\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"cassandra.request.query\",\"cassandra.response.result.rows.meta.keyspace\",\"cassandra.response.result.rows.meta.table\",\"cassandra.response.result.rows.num_rows\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":12,\"i\":\"20\",\"w\":48,\"x\":0,\"y\":52},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"search\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Cassandra", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-cassandra-responsekeyspace", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsetype", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsetime", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcount", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-ops", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcountstackbytype", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsecountstackbytype", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcountbytype", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsecountbytype", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "19:panel_19", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-queryview", - "name": "20:panel_20", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-dashboard.json b/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-dashboard.json deleted file mode 100755 index c1dee3dfea..0000000000 --- a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-dashboard.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "Network Packet Capture overview dashboard.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"1\",\"w\":12,\"x\":12,\"y\":20},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"2\",\"w\":12,\"x\":36,\"y\":20},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"11\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"12\",\"w\":12,\"x\":0,\"y\":20},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"13\",\"w\":12,\"x\":24,\"y\":20},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"3f5bc195-da9d-4ec8-a68f-896db321a54b\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"9638dc3f-f85a-4e68-8e14-25654df43f8e\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"[Network Packet Capture] Client IP Locations (requires GeoIP enrichment)\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"client.geo.location\\\",\\\"id\\\":\\\"220c104b-34a8-4aa7-a3d6-7b56ad4d3b9e\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":2.4,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"agent.type:packetbeat\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"[Network Packet Capture] Map 2\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":40.9799,\"maxLon\":90,\"minLat\":0,\"minLon\":-90},\"mapCenter\":{\"lat\":19.94277,\"lon\":0,\"zoom\":2.4},\"openTOCDetails\":[]},\"gridData\":{\"h\":20,\"i\":\"92e797bb-1975-4320-9d19-9b7f11e9e538\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"92e797bb-1975-4320-9d19-9b7f11e9e538\",\"title\":\"[Network Packet Capture] Client IP Locations (requires GeoIP enrichment)\",\"type\":\"map\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Overview", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dashboard", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-web-transactions", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-db-transactions", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-response-times-percentiles", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-errors-count-over-time", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-errors-vs-successful-transactions", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-latency-histogram", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "network_traffic-response-times-repartition", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "92e797bb-1975-4320-9d19-9b7f11e9e538:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-dns-unique-domains.json b/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-dns-unique-domains.json deleted file mode 100755 index d6f50f2545..0000000000 --- a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-dns-unique-domains.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "Detecting tunneling over DNS.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"NOT dns.question.type:PTR\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"spy\":{\"mode\":{\"fill\":false,\"name\":null}},\"vis\":{\"colors\":{\"Count\":\"#1F78C1\",\"Unique Subdomain Count\":\"#EF843C\",\"Unique count of dns.question.name\":\"#E0752D\"},\"legendOpen\":false}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DNS Tunneling", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-unique-domains", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-unique-fqdns-per-etld-1", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-unique-fqdns-per-etld-1-table", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-bytes-transferred-per-domain", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-flows.json b/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-flows.json deleted file mode 100755 index 13b51d1106..0000000000 --- a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-flows.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":35,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"3\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":35,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":35,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Network Flows", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-flows", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-top-hosts-creating-traffic", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-connections-over-time", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-top-hosts-receiving-traffic", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-network-traffic-between-your-hosts", - "name": "panel_4", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-http.json b/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-http.json deleted file mode 100755 index 0699eb175a..0000000000 --- a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-http.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":36,\"x\":12,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":25,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":50},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] HTTP", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-web-transactions", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-http-error-codes", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-http-error-codes-evolution", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-total-number-of-http-transactions", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-http-codes-for-the-top-queries", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-10-http-requests", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-mongodb-performance.json b/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-mongodb-performance.json deleted file mode 100755 index 76b41ed6ac..0000000000 --- a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-mongodb-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"6\",\"w\":32,\"x\":0,\"y\":35},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":25,\"i\":\"7\",\"w\":16,\"x\":32,\"y\":35},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] MongoDB", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-errors", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-commands", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-errors-per-collection", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-in-slash-out-throughput", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-response-times-by-collection", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-slowest-mongodb-queries", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-mysql-performance.json b/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-mysql-performance.json deleted file mode 100755 index 6e51b19d93..0000000000 --- a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-mysql-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] MySQL performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-errors", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-methods", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-throughput", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-most-frequent-mysql-queries", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-mysql-queries", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-response-times-percentiles", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-reads-vs-writes", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-nfs.json b/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-nfs.json deleted file mode 100755 index 2b9bfc8b82..0000000000 --- a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-nfs.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "NFSv3 and NFSv4 transactions over TCP.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":25,\"i\":\"1\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"spy\":{\"mode\":{\"fill\":false,\"name\":null}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":10,\"i\":\"4\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":10},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"7\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":55},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":30,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"9\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"10\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_8\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] NFS", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs-clients-pie-chart", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-operations-area-chart", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-top-group-pie-chart", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-top-users-pie-chart", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-response-times", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-errors", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-operation-table", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-bytes-in-slash-out", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-pgsql-performance.json b/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-pgsql-performance.json deleted file mode 100755 index 462ad7a8be..0000000000 --- a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-pgsql-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "Postgres database query performance.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] PgSQL performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-errors", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-methods", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-response-times-percentiles", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-throughput", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-reads-vs-writes", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-most-frequent-pgsql-queries", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-pgsql-queries", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-thrift-performance.json b/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-thrift-performance.json deleted file mode 100755 index fe50a1efbd..0000000000 --- a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-thrift-performance.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Thrift performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-requests-per-minute", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-rpc-errors", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-thrift-rpc-methods", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-response-times-percentiles", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-thrift-rpc-methods", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-top-thrift-rpc-calls-with-errors", - "name": "7:panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-tls-sessions.json b/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-tls-sessions.json deleted file mode 100755 index 876601f994..0000000000 --- a/packages/network_traffic/1.2.0/kibana/dashboard/network_traffic-tls-sessions.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "description": "[Network Packet Capture] TLS Sessions", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"8\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":12,\"x\":12,\"y\":28},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"10\",\"w\":12,\"x\":0,\"y\":16},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":40},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"12\",\"w\":12,\"x\":24,\"y\":28},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"13\",\"w\":12,\"x\":36,\"y\":28},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":12,\"x\":0,\"y\":28},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":24,\"x\":0,\"y\":52},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":24,\"x\":0,\"y\":64},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"17\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"18\",\"w\":24,\"x\":24,\"y\":64},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"19\",\"w\":36,\"x\":12,\"y\":16},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] TLS Sessions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-tls-sessions", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "network_traffic-c14377a0-d353-11e7-9914-4982455b3063", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "network_traffic-061de380-d361-11e7-9914-4982455b3063", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-a28d09d0-d361-11e7-9914-4982455b3063", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-0af0b790-d37d-11e7-9914-4982455b3063", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "network_traffic-2c467370-d392-11e7-8fa0-232aa9259081", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "network_traffic-0958a910-d396-11e7-8fa0-232aa9259081", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "network_traffic-86743f90-d396-11e7-8fa0-232aa9259081", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9", - "name": "19:panel_19", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json deleted file mode 100755 index afb21d2457..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB errors", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json deleted file mode 100755 index 67be55b24a..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.client.ja3\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.client.ja3\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Fingerprint", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json deleted file mode 100755 index 6d16385a7d..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] HTTP Transactions Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json deleted file mode 100755 index 438de0c09a..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"event.duration\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.duration\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Handshake Latency", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index b2320634bf..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.server.x509.public_key_size\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.server.x509.public_key_size\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Server Public Key Size", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json deleted file mode 100755 index 7851d8f875..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.client.server_name\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.client.server_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Server Name Indication", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-94908e80-d2d8-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json deleted file mode 100755 index 44b4e814c2..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "columns": [ - "dhcpv4.transaction_id", - "dhcpv4.op_code", - "dhcpv4.option.message_type", - "source.ip", - "destination.ip", - "dhcpv4.client_mac", - "dhcpv4.option.hostname", - "dhcpv4.option.class_identifier" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dhcpv4\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] DHCPv4", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json deleted file mode 100755 index 48114ab869..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.detailed.version\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.detailed.version\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Version", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-cassandra-queryview.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-cassandra-queryview.json deleted file mode 100755 index 4da4785f32..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-cassandra-queryview.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "cassandra.request.query", - "cassandra.response.result.rows.meta.keyspace", - "cassandra.response.result.rows.meta.table", - "cassandra.response.result.rows.num_rows" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cassandra.request.headers.op\",\"negate\":false,\"params\":{\"query\":\"QUERY\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"QUERY\"},\"query\":{\"match\":{\"cassandra.request.headers.op\":{\"query\":\"QUERY\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"cassandra.response.headers.op\",\"negate\":true,\"params\":{\"query\":\"ERROR\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"ERROR\"},\"query\":{\"match\":{\"cassandra.response.headers.op\":{\"query\":\"ERROR\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.cassandra\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Cassandra Query Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-queryview", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json deleted file mode 100755 index e042ed47b0..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "server.ip", - "destination.ip", - "dns.question.name", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"dns\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"dns\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"dns\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dns\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] DNS Protocol", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json deleted file mode 100755 index adda40afe3..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.cassandra\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Cassandra Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json deleted file mode 100755 index 54ccb16243..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":\"TLS sessions\",\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Sessions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-flows-search.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-flows-search.json deleted file mode 100755 index 94bf5f31c0..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-flows-search.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "type", - "event.start", - "event.end", - "source.ip", - "source.port", - "destination.ip", - "destination.port", - "source.bytes", - "destination.bytes" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.flow\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Flows Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-flows-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json deleted file mode 100755 index f3f1e907c0..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status", - "query" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb and request: \\\"writeConcern w 0\\\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB transactions with write concern 0", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-transactions-with-write-concern-0", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-mongodb-transactions.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-mongodb-transactions.json deleted file mode 100755 index 71fb0f7d06..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-mongodb-transactions.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status", - "query" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB Transaction Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-mysql-errors.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-mysql-errors.json deleted file mode 100755 index e6696d3dfe..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-mysql-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mysql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MySQL Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-mysql-transactions.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-mysql-transactions.json deleted file mode 100755 index 035e4af69f..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-mysql-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mysql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MySQL Transactions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-nfs-errors-search.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-nfs-errors-search.json deleted file mode 100755 index 234a135c17..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-nfs-errors-search.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"nfs.status\",\"negate\":true,\"params\":{\"query\":\"NFSERR_NOENT\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"NFSERR_NOENT\"},\"query\":{\"match\":{\"nfs.status\":{\"query\":\"NFSERR_NOENT\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"nfs.status\",\"negate\":true,\"params\":{\"query\":\"NFS_OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"NFS_OK\"},\"query\":{\"match\":{\"nfs.status\":{\"query\":\"NFS_OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.nfs\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] NFS Error Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-errors-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-nfs.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-nfs.json deleted file mode 100755 index 637ab8785a..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-nfs.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.nfs\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] NFS Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-pgsql-errors.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-pgsql-errors.json deleted file mode 100755 index e1e696c06b..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-pgsql-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.pgsql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] PgSQL Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-pgsql-transactions.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-pgsql-transactions.json deleted file mode 100755 index 4cf83e438b..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-pgsql-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.pgsql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] PgSQL Transactions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-search.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-search.json deleted file mode 100755 index b8dcde28ff..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-search.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "client.ip", - "client.port", - "server.ip", - "server.port", - "data_stream.dataset", - "query", - "method", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":true,\"params\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"network_traffic.flow\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-thrift-errors.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-thrift-errors.json deleted file mode 100755 index 4ada45ff68..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-thrift-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.thrift\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Thrift Errors", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-thrift-transactions.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-thrift-transactions.json deleted file mode 100755 index d561697995..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-thrift-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.thrift\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Thrift Transactions Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/search/network_traffic-transactions-errors.json b/packages/network_traffic/1.2.0/kibana/search/network_traffic-transactions-errors.json deleted file mode 100755 index 26f67d32a2..0000000000 --- a/packages/network_traffic/1.2.0/kibana/search/network_traffic-transactions-errors.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "columns": [ - "client.ip", - "client.port", - "server.ip", - "server.port", - "data_stream.dataset", - "query", - "method", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":true,\"params\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"network_traffic.flow\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Transactions Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-transactions-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json deleted file mode 100755 index 72cce261f0..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Sessions", - "uiStateJSON": "{\"vis\":{\"colors\":{\"false\":\"#E24D42\",\"true\":\"#7EB26D\"},\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sessions per minute\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Handshake completed\",\"field\":\"tls.established\",\"json\":\"\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] TLS Sessions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json deleted file mode 100755 index 428c808c1b..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"}}" - }, - "title": "[Network Packet Capture] Total Number of TLS Sessions", - "uiStateJSON": "{\"P-5\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-7\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] Total Number of TLS Sessions\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-061de380-d361-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 3d5fc5d68c..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Certificates", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Subject Common Name\",\"field\":\"tls.server.x509.subject.common_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Organization\",\"field\":\"tls.server.x509.subject.organization\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Server Certificates\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-0958a910-d396-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index a9a6b6d585..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Versions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"TLS version\",\"field\":\"tls.detailed.version\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Versions\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-0af0b790-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json deleted file mode 100755 index 5c709d21ab..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Client Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique MACs\",\"field\":\"dhcpv4.client_mac\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Client Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 238ff5fe1b..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Session Resume", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"\",\"field\":\"tls.detailed.resumption_method\",\"json\":\"{\\n\\\"missing\\\": \\\"none\\\"\\n}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Session Resume\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-2c467370-d392-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json deleted file mode 100755 index 28758eb761..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Message Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Op Code\",\"field\":\"dhcpv4.op_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Message Type\",\"field\":\"dhcpv4.option.message_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DHCPv4 Message Types\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json deleted file mode 100755 index dfd0b9c2df..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Cipher", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Cipher\",\"field\":\"tls.cipher\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Cipher\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json deleted file mode 100755 index 69216a897d..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"dhcpv4.option.message_type:nak OR dhcpv4.option.message_type:decline\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 NAK and Decline Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":57,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 NAK and Decline Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index e347b89b8e..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Min/Max/Avg Response Time Histogram", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Avg Response Time (ns)\":\"#629E51\",\"Max Response Time (ns)\":\"#E24D42\",\"Min Response Time (ns)\":\"#70DBED\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Min Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Max Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"max\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"4\",\"label\":\"Min Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"1\",\"label\":\"Avg Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Max Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Average event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] DNS Min/Max/Avg Response Time Histogram\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json deleted file mode 100755 index 27390bc2a6..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dhcpv4\"}}" - }, - "title": "[Network Packet Capture] DHCPv4 Message Types over Time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"c2cf4410-8ba8-11e8-ae15-bdcba81344e6\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"type:dhcpv4\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"ignore_global_filter\":0,\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"NOT dhcpv4.option.message_type:nak NOT dhcpv4.option.message_type:decline\"},\"formatter\":\"number\",\"id\":\"8abe6eb0-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"Response\",\"line_width\":1,\"metrics\":[{\"id\":\"8abe6eb1-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"dhcpv4.option.message_type\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"dhcpv4.option.message_type:nak\"},\"formatter\":\"number\",\"id\":\"ae5610d0-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"nak\",\"line_width\":\"4\",\"metrics\":[{\"id\":\"ae5610d1-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":\"3\",\"seperate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"dhcpv4.option.message_type:decline\"},\"formatter\":\"number\",\"id\":\"cf7ba180-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"decline\",\"line_width\":\"4\",\"metrics\":[{\"id\":\"cf7ba181-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":\"3\",\"seperate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"[Network Packet Capture] DHCPv4 Message Types over Time\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 23e4ad24db..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Client Certificates", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Subject Common Name\",\"field\":\"tls.client.x509.subject.common_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Signature Algorithm\",\"field\":\"tls.client.x509.signature_algorithm\",\"json\":\"{ \\\"missing\\\": \\\"N/A\\\" }\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Client Certificates\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-86743f90-d396-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json deleted file mode 100755 index e100d4e38f..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Name Indication", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Server Name Indication\",\"field\":\"tls.client.server_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"hideLabel\":false,\"maxFontSize\":64,\"minFontSize\":14,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"[Network Packet Capture] TLS Server Name Indication\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-a28d09d0-d361-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-94908e80-d2d8-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json deleted file mode 100755 index 204f509a93..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Fingerprint", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"JA3 Fingerprint\",\"field\":\"tls.client.ja3\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Fingerprint\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index c8ca05e364..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Public Key Size", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Public Key Size\",\"field\":\"tls.server.x509.public_key_size\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] Server Public Key Size\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index 7d805b99d1..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Client and Servers Pie Chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Server\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DNS Client and Servers Pie Chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-bytes-transferred-per-domain.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-bytes-transferred-per-domain.json deleted file mode 100755 index 6b89c0127d..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-bytes-transferred-per-domain.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Bytes Transferred per Domain", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Bytes In\":\"#F2C96D\",\"Bytes Out\":\"#629E51\",\"Count\":\"#1F78C1\",\"Unique count of dns.question.name\":\"#E0752D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes Out\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Domains\",\"field\":\"dns.question.etld_plus_one\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes In\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":true,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"grouped\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Bytes Out\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Bytes In\"},\"mode\":\"normal\",\"show\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"grouped\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Bytes Transferred per Domain\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bytes-transferred-per-domain", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json deleted file mode 100755 index 1b5f21f993..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"exists\\\":{\\\"field\\\":\\\"tls\\\"}}\"},\"query\":{\"exists\":{\"field\":\"tls\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"}}" - }, - "title": "[Network Packet Capture] TLS Alerts", - "uiStateJSON": "{\"vis\":{\"colors\":{\"None\":\"#7EB26D\",\"handshake_failure\":\"#E24D42\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"tls.detailed.alert_types\",\"include\":\".*\",\"json\":\"{\\\"missing\\\": \\\"None\\\"}\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Alerts\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-c14377a0-d353-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-ops.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-ops.json deleted file mode 100755 index fcdb742965..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-ops.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra Ops", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra Ops\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-ops", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-requestcount.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-requestcount.json deleted file mode 100755 index ac31b1fa2f..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-requestcount.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCount", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCount\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcount", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-requestcountbytype.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-requestcountbytype.json deleted file mode 100755 index be3352be29..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-requestcountbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCountByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":\"13\",\"scale\":\"log\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCountByType\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcountbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json deleted file mode 100755 index 9e1ebf6056..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCountStackByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCountStackByType\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcountstackbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-responsecountbytype.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-responsecountbytype.json deleted file mode 100755 index 17a71a0e30..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-responsecountbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseCountByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"},{\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"radiusRatio\":\"15\",\"scale\":\"log\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra: ResponseCountByType\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsecountbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json deleted file mode 100755 index ee9d47e2f6..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseCountStackByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra ResponseCountStackByType\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsecountstackbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-responsekeyspace.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-responsekeyspace.json deleted file mode 100755 index 2f203d6dd9..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-responsekeyspace.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseKeyspace", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.response.result.rows.meta.keyspace\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.result.rows.meta.table\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra ResponseKeyspace\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsekeyspace", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-responsetime.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-responsetime.json deleted file mode 100755 index 152ebf53ef..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-responsetime.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseTime", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[5,25,50,75,95]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra ResponseTime\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsetime", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-responsetype.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-responsetype.json deleted file mode 100755 index 85c2b4d398..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-cassandra-responsetype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.response.result.type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra ResponseType\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsetype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-connections-over-time.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-connections-over-time.json deleted file mode 100755 index 97d4affdf5..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-connections-over-time.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Connections over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Flows\",\"field\":\"flow.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Unique Flows\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Connections over time\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-connections-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json deleted file mode 100755 index d8cedfb7c3..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Transaction Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Transactions\",\"field\":\"dhcpv4.transaction_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Transaction Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json deleted file mode 100755 index 856211710f..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.duration\",\"negate\":false,\"params\":{\"gte\":0,\"lt\":1000000000},\"type\":\"range\",\"value\":\"0 to 1,000,000,000\"},\"range\":{\"event.duration\":{\"gte\":0,\"lt\":1000000000}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Handshake Latency", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Handshake Latency (ns)\",\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":2000000},\"schema\":\"segment\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] TLS Handshake Latency\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-db-transactions.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-db-transactions.json deleted file mode 100755 index 475882f60d..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-db-transactions.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.type\",\"negate\":true,\"params\":{\"query\":\"flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"flow\"},\"query\":{\"match\":{\"event.type\":{\"query\":\"flow\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"}}" - }, - "title": "[Network Packet Capture] Transaction Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.dataset\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Transaction Types\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-db-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json deleted file mode 100755 index 333052a373..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dns\"}}" - }, - "title": "[Network Packet Capture] Top Domains by Data Volume", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes In\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ETLD+1\",\"field\":\"dns.question.etld_plus_one\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"3\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes Out\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top Domains by Data Volume\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-dns-query-summary.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-dns-query-summary.json deleted file mode 100755 index 1898c984d8..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-dns-query-summary.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Query Summary", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Server Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Avg Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"17\",\"handleNoResults\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":28,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DNS Query Summary\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-query-summary", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-dns-question-types.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-dns-question-types.json deleted file mode 100755 index b2a975b430..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-dns-question-types.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Question Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"dns.question.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DNS Question Types\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-question-types", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-dns-request-status-over-time.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-dns-request-status-over-time.json deleted file mode 100755 index 53c1b991c8..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-dns-request-status-over-time.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Request Status Over Time", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Error\":\"#890F02\",\"OK\":\"#0A50A1\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] DNS Request Status Over Time\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-request-status-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-dns-response-codes.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-dns-response-codes.json deleted file mode 100755 index b9edd3cab4..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-dns-response-codes.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Response Codes", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Response Code\",\"field\":\"dns.response_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] DNS Response Codes\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-response-codes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-dns-top-10-questions.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-dns-top-10-questions.json deleted file mode 100755 index d86db94a8d..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-dns-top-10-questions.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":false,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Top 10 Questions", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Question\",\"field\":\"dns.question.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":30},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] DNS Top 10 Questions\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-top-10-questions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json deleted file mode 100755 index b89d822540..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Avg Response Time\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"lineWidth\":3.5,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Avg Response Time\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] DNS Transactions\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-errors-count-over-time.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-errors-count-over-time.json deleted file mode 100755 index 5582bc6c67..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-errors-count-over-time.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Errors count over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"30s\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"id\":\"3\",\"params\":{\"field\":\"type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] New Visualization\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-errors-count-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-transactions-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-errors-vs-successful-transactions.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-errors-vs-successful-transactions.json deleted file mode 100755 index c3ac23f5a7..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-errors-vs-successful-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Errors vs successful transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"percentage\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"percentage\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Errors vs successful transactions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-errors-vs-successful-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json deleted file mode 100755 index c0d680e520..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Data Transfer", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Requests\",\"field\":\"client.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Responses\",\"field\":\"server.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":24,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Data Transfer\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json deleted file mode 100755 index d8885cd43f..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] HTTP status codes for the top queries", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"HTTP Query\",\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"split\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"row\":false,\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] HTTP status codes for the top queries\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-codes-for-the-top-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-http-error-codes-evolution.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-http-error-codes-evolution.json deleted file mode 100755 index 479733a2af..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-http-error-codes-evolution.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"http.response.status_code\",\"negate\":true,\"params\":{\"gte\":200,\"lt\":299},\"type\":\"range\",\"value\":\"200 to 299\"},\"range\":{\"http.response.status_code\":{\"gte\":200,\"lte\":299}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http\"}}" - }, - "title": "[Network Packet Capture] HTTP error codes evolution", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP error codes evolution\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-error-codes-evolution", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-http-error-codes.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-http-error-codes.json deleted file mode 100755 index 1cb90080fc..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-http-error-codes.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"type\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http and http.response.status_code \\u003e= 300\"}}" - }, - "title": "[Network Packet Capture] HTTP error codes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"type\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Unique count of type\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP error codes\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-error-codes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-latency-histogram.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-latency-histogram.json deleted file mode 100755 index 34aa0f3d11..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-latency-histogram.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Latency Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":10000000},\"schema\":\"segment\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Latency Histogram\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-latency-histogram", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mongodb-commands.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mongodb-commands.json deleted file mode 100755 index 87474df326..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mongodb-commands.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB Commands", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"silhouette\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"silhouette\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB Commands\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-commands", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mongodb-errors-per-collection.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mongodb-errors-per-collection.json deleted file mode 100755 index ea23f3560f..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mongodb-errors-per-collection.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB errors per collection", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"spyPerPage\":10,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB errors per collection\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-errors-per-collection", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mongodb-errors.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mongodb-errors.json deleted file mode 100755 index 183ec66ef3..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mongodb-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"split\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"row\":true,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"spyPerPage\":10,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB errors\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json deleted file mode 100755 index 74b8a6fd64..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB in/out throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of source.bytes\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"4\",\"label\":\"Sum of destination.bytes\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB in/out throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-in-slash-out-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json deleted file mode 100755 index 0346b7b1cd..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB response times by collection", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":false,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":\"9\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":\"9\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB response times by collection\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-response-times-by-collection", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-most-frequent-mysql-queries.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-most-frequent-mysql-queries.json deleted file mode 100755 index 08c27fcecf..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-most-frequent-mysql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Most frequent MySQL queries", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"query\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true},\"title\":\"[Network Packet Capture] Most frequent MySQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-most-frequent-mysql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json deleted file mode 100755 index 6ddc08eafb..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Most frequent PgSQL queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Most frequent PgSQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-most-frequent-pgsql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mysql-errors.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mysql-errors.json deleted file mode 100755 index 25ded66860..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mysql-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mysql-methods.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mysql-methods.json deleted file mode 100755 index 34e609f25b..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mysql-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Methods", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"wiggle\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"wiggle\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Methods\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mysql-reads-vs-writes.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mysql-reads-vs-writes.json deleted file mode 100755 index 4fece54090..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mysql-reads-vs-writes.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Reads vs Writes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"method: SELECT\"}},{\"input\":{\"language\":\"lucene\",\"query\":\"method: INSERT OR method: UPDATE OR method: DELETE\"}}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 30 seconds\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Reads vs Writes\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-reads-vs-writes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mysql-response-times-percentiles.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mysql-response-times-percentiles.json deleted file mode 100755 index add1156167..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mysql-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Mysql response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] Mysql response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mysql-throughput.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mysql-throughput.json deleted file mode 100755 index fd67a3b714..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-mysql-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of destination.bytes\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Sum of source.bytes\"},\"mode\":\"normal\",\"show\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] MySQL throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-navigation.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-navigation.json deleted file mode 100755 index 958a4a7a7c..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-navigation.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "[Network Packet Capture] Navigation", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"### Network Packet Capture:\\n\\n[Overview](#/dashboard/network_traffic-dashboard)\\n\\n[Network Flows](#/dashboard/network_traffic-flows)\\n\\n[DNS Overview](#/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e) | [Tunneling](#/dashboard/network_traffic-dns-unique-domains)\\n\\n[DHCPv4 Transactions](#/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb)\\n\\n[TLS Overview](#/dashboard/network_traffic-tls-sessions)\\n\\n[HTTP transactions](#/dashboard/network_traffic-http)\\n\\nDatabases: [MySQL](#/dashboard/network_traffic-mysql-performance) | [PostgreSQL](#/dashboard/network_traffic-pgsql-performance) | [MongoDB](#/dashboard/network_traffic-mongodb-performance) | [Cassandra](#/dashboard/network_traffic-cassandra)\\n\\nRPC: [Thrift](#/dashboard/network_traffic-thrift-performance)\\n\\nStorage: [NFS](#/dashboard/network_traffic-nfs)\",\"openLinksInNewTab\":false},\"title\":\"[Network Packet Capture] Navigation\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-navigation", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json deleted file mode 100755 index 292355bbdf..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Traffic Between Hosts", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Traffic Between Hosts\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-network-traffic-between-your-hosts", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json deleted file mode 100755 index 8b550d78cf..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS Request / Response Sizes", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Sum of rpc.reply_size\":\"#7EB26D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Request Size\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Response Size\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Request Size\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Response Size\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS Request / Response Sizes\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-bytes-in-slash-out", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-nfs-clients-pie-chart.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-nfs-clients-pie-chart.json deleted file mode 100755 index 4272f7571e..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-nfs-clients-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS clients pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.machinename\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS clients pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-clients-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-nfs-errors.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-nfs-errors.json deleted file mode 100755 index f407f4153d..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-nfs-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"nfs.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":12},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs-errors-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-nfs-operation-table.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-nfs-operation-table.json deleted file mode 100755 index 56e28320c1..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-nfs-operation-table.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS operation table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Opcode\",\"field\":\"nfs.opcode\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] NFS operation table\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-operation-table", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-nfs-operations-area-chart.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-nfs-operations-area-chart.json deleted file mode 100755 index 56cb538f8f..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-nfs-operations-area-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS operations area chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"nfs.opcode\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":16},\"schema\":\"group\",\"type\":\"terms\"},{\"id\":\"3\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS operations area chart\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-operations-area-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-nfs-response-times.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-nfs-response-times.json deleted file mode 100755 index 2ffaacd816..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-nfs-response-times.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS response times", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[50]},\"schema\":\"metric\",\"type\":\"median\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":true,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":\"9\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Median event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":\"9\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Median event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS response times\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-response-times", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json deleted file mode 100755 index c1b2816c13..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS top group pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.gid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS top group pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-top-group-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json deleted file mode 100755 index 543bfe7058..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS top users pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.uid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS top users pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-top-users-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json deleted file mode 100755 index 770c776e13..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Number of MongoDB transactions with writeConcern w=0", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Number of MongoDB transactions with writeConcern w=0\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions-with-write-concern-0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-pgsql-errors.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-pgsql-errors.json deleted file mode 100755 index 88a19443ff..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-pgsql-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-pgsql-methods.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-pgsql-methods.json deleted file mode 100755 index e49215022c..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-pgsql-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Methods", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"wiggle\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"wiggle\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Methods\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json deleted file mode 100755 index 60be8776dd..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Reads vs Writes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"method: SELECT\"}},{\"input\":{\"language\":\"lucene\",\"query\":\"method: INSERT OR method: UPDATE OR method: DELETE\"}}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 30 seconds\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Reads vs Writes\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-reads-vs-writes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json deleted file mode 100755 index 66eb8b3b8b..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] PgSQL response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-pgsql-throughput.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-pgsql-throughput.json deleted file mode 100755 index aba4ebafd0..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-pgsql-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of destination.bytes\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Sum of source.bytes\"},\"mode\":\"normal\",\"show\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] PgSQL Throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-response-times-percentiles.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-response-times-percentiles.json deleted file mode 100755 index f43cfc0233..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,95,99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-response-times-repartition.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-response-times-repartition.json deleted file mode 100755 index 2271bdb9a7..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-response-times-repartition.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Response times repartition", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":10000000},\"schema\":\"group\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Response times repartition\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-response-times-repartition", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-slowest-mysql-queries.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-slowest-mysql-queries.json deleted file mode 100755 index 9194c62aaa..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-slowest-mysql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest MySQL queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest MySQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-mysql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-slowest-pgsql-queries.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-slowest-pgsql-queries.json deleted file mode 100755 index ce2d661459..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-slowest-pgsql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest PgSQL Queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Average Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest PgSQL Queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-pgsql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json deleted file mode 100755 index 777f4d7abe..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest Thrift RPC methods", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest Thrift RPC methods\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-thrift-rpc-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-thrift-requests-per-minute.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-thrift-requests-per-minute.json deleted file mode 100755 index e9dee7461a..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-thrift-requests-per-minute.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift requests per minute", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"m\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Thrift requests per minute\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-requests-per-minute", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-thrift-response-times-percentiles.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-thrift-response-times-percentiles.json deleted file mode 100755 index 835ee06280..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-thrift-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] Thrift response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-thrift-rpc-errors.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-thrift-rpc-errors.json deleted file mode 100755 index 37e3e901fc..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-thrift-rpc-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift RPC Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Thrift RPC Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-rpc-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-top-10-http-requests.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-top-10-http-requests.json deleted file mode 100755 index bb5c71dbfe..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-top-10-http-requests.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top 10 HTTP requests", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top 10 HTTP requests\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-10-http-requests", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-top-hosts-creating-traffic.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-top-hosts-creating-traffic.json deleted file mode 100755 index 842f9f29ec..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-top-hosts-creating-traffic.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Hosts Creating Traffic", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Source Bytes\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Hosts Creating Traffic\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-hosts-creating-traffic", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json deleted file mode 100755 index 34f9d74be2..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Hosts Receiving Traffic", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destination Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Destination Bytes\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Hosts Receiving Traffic\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-hosts-receiving-traffic", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json deleted file mode 100755 index e39b39b7f9..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top slowest MongoDB queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top slowest MongoDB queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-slowest-mongodb-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json deleted file mode 100755 index 3f7aee4851..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Thrift-RPC calls with errors", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"shareYAxis\":true},\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-thrift-rpc-calls-with-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-top-thrift-rpc-methods.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-top-thrift-rpc-methods.json deleted file mode 100755 index 8add979f7b..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-top-thrift-rpc-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Thrift-RPC methods ", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Thrift-RPC methods\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-thrift-rpc-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-total-number-of-http-transactions.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-total-number-of-http-transactions.json deleted file mode 100755 index 77e8f9b41a..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-total-number-of-http-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Total number of HTTP transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"37\",\"handleNoResults\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] Total number of HTTP transactions\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-total-number-of-http-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json deleted file mode 100755 index 93a9d62de2..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Unique FQDNs per eTLD+1 Table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ETLD+1\",\"field\":\"dns.question.etld_plus_one\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Unique Domains\",\"field\":\"dns.question.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Unique FQDNs per eTLD+1 Table\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-unique-fqdns-per-etld-1-table", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json deleted file mode 100755 index e94d78a938..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Unique FQDNs per eTLD+1", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Count\":\"#1F78C1\",\"Unique count of dns.question.name\":\"#E0752D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Subdomain Count\",\"field\":\"dns.question.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Domains\",\"field\":\"dns.question.etld_plus_one\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":true,\"legendPosition\":\"right\",\"mode\":\"grouped\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Unique FQDNs per eTLD+1\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-unique-fqdns-per-etld-1", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-web-transactions.json b/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-web-transactions.json deleted file mode 100755 index 354ec98cef..0000000000 --- a/packages/network_traffic/1.2.0/kibana/visualization/network_traffic-web-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] HTTP Transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP Transactions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-web-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.2.0/manifest.yml b/packages/network_traffic/1.2.0/manifest.yml deleted file mode 100755 index 984817a843..0000000000 --- a/packages/network_traffic/1.2.0/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -format_version: 1.0.0 -name: network_traffic -title: Network Packet Capture -version: 1.2.0 -license: basic -description: Capture and analyze network traffic from a host with Elastic Agent. -type: integration -categories: - - web -release: ga -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -policy_templates: - - name: network - title: Network Packet Capture - description: Capture network traffic - inputs: - - type: packet - title: Capture network traffic - description: Collecting network traffic - vars: - - name: interface - type: text - title: Interface - required: false - show_user: false -owner: - github: elastic/security-external-integrations diff --git a/packages/qnap_nas/1.2.1/changelog.yml b/packages/qnap_nas/1.2.1/changelog.yml deleted file mode 100755 index 65a54ed30f..0000000000 --- a/packages/qnap_nas/1.2.1/changelog.yml +++ /dev/null @@ -1,31 +0,0 @@ -# newer versions go on top -- version: "1.2.1" - changes: - - description: Added link to QNAP documentation in the readme file - type: enhancement - link: https://github.com/elastic/integrations/pull/3155 -- version: "1.2.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "1.1.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.1.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2435 -- version: "1.0.1" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.0.0" - changes: - - description: initial release - type: enhancement - link: https://github.com/elastic/integrations/pull/2202 diff --git a/packages/qnap_nas/1.2.1/data_stream/log/agent/stream/tcp.yml.hbs b/packages/qnap_nas/1.2.1/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 9241b23255..0000000000 --- a/packages/qnap_nas/1.2.1/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,23 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -processors: -- add_locale: ~ -- add_fields: - target: _tmp - fields: - tz_offset: {{tz_offset}} -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/qnap_nas/1.2.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/qnap_nas/1.2.1/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 53b6e1b0cb..0000000000 --- a/packages/qnap_nas/1.2.1/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,20 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- add_locale: ~ -- add_fields: - target: _tmp - fields: - tz_offset: {{tz_offset}} -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/qnap_nas/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/qnap_nas/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 3949bd87c8..0000000000 --- a/packages/qnap_nas/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,294 +0,0 @@ ---- -description: Pipeline for parsing QNAP NAS logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - - set: - field: observer.vendor - value: QNAP - - set: - field: observer.product - value: NAS - - set: - field: observer.type - value: nas - - grok: - field: event.original - patterns: - - '^(%{ECS_SYSLOG_PRI})?%{SYSLOGTIMESTAMP:_tmp.timestamp} %{NAS} %{SYSLOGPROG}: %{LOG_TYPE:event.provider}: %{GREEDYDATA:_tmp.message}' - pattern_definitions: - NAS: '(?:%{IP:host.ip}|%{HOSTNAME:host.name})' - ECS_SYSLOG_PRI: '<%{NONNEGINT:log.syslog.priority:long}>' - SYSLOGPROG: '%{PROG:process.name}(?:\[%{POSINT:process.pid:int}\])?' - LOG_TYPE: '(event log|conn log)' - - set: - field: event.timezone - value: "{{_tmp.tz_offset}}" - if: ctx._tmp?.tz_offset != null && ctx._tmp?.tz_offset != 'local' - - date: - field: _tmp.timestamp - target_field: '@timestamp' - timezone: "{{ event.timezone }}" - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - if: ctx.event?.timezone != null - - date: - field: _tmp.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - if: ctx.event?.timezone == null - - set: - field: event.created - copy_from: '@timestamp' - - grok: - field: _tmp.message - patterns: - - '^%{SHARED}, Application: %{DATA:qnap.nas.application}, Category: %{DATA:qnap.nas.category}, Content: %{DATA:message}$' - - '^%{SHARED}, Connection type: %{DATA:qnap.nas.connection_type}, Accessed resources: %{RESOURCE}, Action: %{DATA:event.action}$' - pattern_definitions: - SHARED: 'Users: %{USER:user.name}, Source IP: (127.0.0.1|%{IP:source.address}), Computer name: (---|%{HOSTNAME:source.domain})' - RESOURCE: '(\[%{DATA:qnap.nas.application}\] )?(---|%{FILE_PATH:qnap.nas.file.path}|%{DATA:qnap.nas.application})' - FILE_PATH: '[_%\(\)!$@:.,+~\-\s[:alnum:]]*(\/[_%\(\)!$@:.,+~\-\s[:alnum:]]*)+' - - grok: - field: message - patterns: - - '^\[Shared Folders\] %{ACTION:event.action} "%{DATA:qnap.nas.file.path}"\.$' - - '^\[User Groups\] %{ACTION:event.action} "%{DATA:group.name}"\.$' - - '^\[Users\] %{USER_EVENTS} "%{DATA:user.target.name}"\.$' - pattern_definitions: - ACTION: (Created|Deleted) %{DATA} - USER_EVENTS: (%{ACTION:event.action}|%{DATA:event.action} of user) - ignore_failure: true - ignore_missing: true - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - grok: - field: qnap.nas.file.path - patterns: - - '%{FILE_PATH:file.path} -> %{FILE_PATH:qnap.nas.file.new_path}' - - '%{FILE_PATH:file.path}' - pattern_definitions: - FILE_PATH: '[_%\(\)!$@:.,+~\-\s[:alnum:]]*(\/[_%\(\)!$@:.,+~\-\s[:alnum:]]*)*' - ignore_failure: true - ignore_missing: true - - grok: - field: file.path - patterns: - - '\.%{DATA:file.extension}$' - ignore_failure: true - ignore_missing: true - - lowercase: - field: event.action - ignore_missing: true - - gsub: - field: event.action - pattern: 'the ' - replacement: '' - ignore_missing: true - - gsub: - field: event.action - pattern: \s - replacement: '-' - ignore_missing: true - - gsub: - field: event.provider - pattern: \s - replacement: '-' - ignore_missing: true - - - script: - lang: painless - description: Add ECS categorization - params: - create-directory: - category: - - file - type: - - creation - read: - category: - - file - type: - - access - rename: - category: - - file - type: - - change - delete: - category: - - file - type: - - deletion - add: - category: - - file - type: - - creation - created-shared-folder: - category: - - file - type: - - creation - deleted-shared-folder: - category: - - file - type: - - deletion - created-user-group: - category: - - iam - type: - - group - - creation - deleted-user-group: - category: - - iam - type: - - group - - deletion - changed-password: - category: - - iam - type: - - user - - change - outcome: success - edited-account-profile: - category: - - iam - type: - - user - - change - outcome: success - created-user: - category: - - iam - type: - - user - - creation - deleted-user: - category: - - iam - type: - - user - - deletion - login-fail: - category: - - authentication - type: - - info - outcome: failure - login-success: - category: - - authentication - type: - - start - outcome: success - logout: - category: - - authentication - type: - - end - source: >- - ctx.event.kind = 'event'; - ctx.event.type = 'info'; - if(ctx?.event?.action == null && ctx.event?.provider == 'event-log') { - if(ctx.event?.category == null) { - List list = new ArrayList(); - ctx.event.put("category", list); - } - ctx.event.category.add('configuration'); - ctx.event.type = 'change'; - } else if (ctx?.event?.action == null) { - return; - } - if (params.get(ctx.event.action) == null) { - return; - } - def hm = new HashMap(params.get(ctx.event.action)); - hm.forEach((k, v) -> ctx.event[k] = v); - - append: - if: ctx.source?.ip != null - field: related.ip - value: '{{source.ip}}' - allow_duplicates: false - - append: - if: ctx.source?.domain != null - field: related.hosts - value: '{{source.domain}}' - allow_duplicates: false - - append: - if: ctx.user?.name != null - field: related.user - value: '{{user.name}}' - allow_duplicates: false - - remove: - field: - - _tmp - ignore_missing: true - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == "---"); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/qnap_nas/1.2.1/data_stream/log/fields/base-fields.yml b/packages/qnap_nas/1.2.1/data_stream/log/fields/base-fields.yml deleted file mode 100755 index b1f340837b..0000000000 --- a/packages/qnap_nas/1.2.1/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: qnap_nas -- name: event.dataset - type: constant_keyword - description: Event dataset - value: qnap_nas.log -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/qnap_nas/1.2.1/data_stream/log/fields/beats.yml b/packages/qnap_nas/1.2.1/data_stream/log/fields/beats.yml deleted file mode 100755 index 9275638f93..0000000000 --- a/packages/qnap_nas/1.2.1/data_stream/log/fields/beats.yml +++ /dev/null @@ -1,15 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/qnap_nas/1.2.1/data_stream/log/fields/ecs.yml b/packages/qnap_nas/1.2.1/data_stream/log/fields/ecs.yml deleted file mode 100755 index a936a8974f..0000000000 --- a/packages/qnap_nas/1.2.1/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,151 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text diff --git a/packages/qnap_nas/1.2.1/data_stream/log/fields/fields.yml b/packages/qnap_nas/1.2.1/data_stream/log/fields/fields.yml deleted file mode 100755 index 23729a536e..0000000000 --- a/packages/qnap_nas/1.2.1/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,18 +0,0 @@ -- name: qnap.nas - type: group - fields: - - name: file.path - type: keyword - description: Path of accessed resource - - name: file.new_path - type: keyword - description: Renamed/Moved path of accessed resource - - name: connection_type - type: keyword - description: Connection type (ex. Samba) - - name: application - type: keyword - description: QNAP application that generated the event - - name: category - type: keyword - description: Sub-component of the QNAP application that generated the event diff --git a/packages/qnap_nas/1.2.1/data_stream/log/manifest.yml b/packages/qnap_nas/1.2.1/data_stream/log/manifest.yml deleted file mode 100755 index 81a6c1fd29..0000000000 --- a/packages/qnap_nas/1.2.1/data_stream/log/manifest.yml +++ /dev/null @@ -1,119 +0,0 @@ -type: logs -title: QNAP NAS logs -streams: - - input: tcp - enabled: true - template_path: tcp.yml.hbs - title: QNAP NAS logs (TCP) - description: Collect QNAP NAS logs using TCP input - vars: - - name: syslog_host - type: text - title: Syslog Host - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - multi: false - required: true - show_user: true - default: 9301 - - name: tz_offset - type: text - title: Timezone Offset - multi: false - required: true - show_user: true - default: local - description: >- - By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - qnap-nas - - forwarded - - name: ssl - type: yaml - title: TLS configuration - multi: false - required: false - show_user: true - description: Options for enabling TLS mode. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: udp - enabled: false - template_path: udp.yml.hbs - title: QNAP NAS logs (UDP) - description: Collect QNAP NAS logs using UDP input - vars: - - name: syslog_host - type: text - title: Syslog Host - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - multi: false - required: true - show_user: true - default: 9301 - - name: tz_offset - type: text - title: Timezone Offset - multi: false - required: true - show_user: true - default: local - description: >- - By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - qnap-nas - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/qnap_nas/1.2.1/data_stream/log/sample_event.json b/packages/qnap_nas/1.2.1/data_stream/log/sample_event.json deleted file mode 100755 index a5e600f821..0000000000 --- a/packages/qnap_nas/1.2.1/data_stream/log/sample_event.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "@timestamp": "2022-10-30T20:24:24.000Z", - "agent": { - "ephemeral_id": "b6db294f-f5fd-4570-9d9c-cd0a74001651", - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "qnap_nas.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "create-directory", - "agent_id_status": "verified", - "category": [ - "file" - ], - "created": "2022-10-30T20:24:24.000Z", - "dataset": "qnap_nas.log", - "ingested": "2022-01-02T09:51:24Z", - "kind": "event", - "provider": "conn-log", - "timezone": "+00:00", - "type": [ - "creation" - ] - }, - "file": { - "path": "path/to/files/New folder" - }, - "host": { - "name": "qnap-nas01" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.18.0.7:46086" - }, - "syslog": { - "priority": 30 - } - }, - "observer": { - "product": "NAS", - "type": "nas", - "vendor": "QNAP" - }, - "process": { - "name": "qulogd", - "pid": 14629 - }, - "qnap": { - "nas": { - "connection_type": "Samba", - "file": { - "path": "path/to/files/New folder" - } - } - }, - "related": { - "hosts": [ - "user-laptop" - ], - "ip": [ - "10.50.36.33" - ], - "user": [ - "admin.user" - ] - }, - "source": { - "address": "10.50.36.33", - "domain": "user-laptop", - "ip": "10.50.36.33" - }, - "tags": [ - "qnap-nas", - "forwarded" - ], - "user": { - "name": "admin.user" - } -} \ No newline at end of file diff --git a/packages/qnap_nas/1.2.1/docs/README.md b/packages/qnap_nas/1.2.1/docs/README.md deleted file mode 100755 index 3947f1083a..0000000000 --- a/packages/qnap_nas/1.2.1/docs/README.md +++ /dev/null @@ -1,174 +0,0 @@ -# QNAP NAS - -The QNAP NAS integration collects Event and Access logs from [QNAP NAS](https://docs.qnap.com/nas-outdated/4.1/SMB/en/index.html?system_logs.htm) devices. - -## Log - -The `log` dataset receives QNAP NAS Event and Access logs over the syslog protocol. This has been tested with QTS 4.5.4 but is expected to work with new versions. This integration is only compatible with the "Send to Syslog Server" option which uses the RFC-3164 syslog format. Both Event and Access events are supported. All protocols; UDP, TCP, TLS are supported. - -### Example event - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2022-10-30T20:24:24.000Z", - "agent": { - "ephemeral_id": "b6db294f-f5fd-4570-9d9c-cd0a74001651", - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "qnap_nas.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "create-directory", - "agent_id_status": "verified", - "category": [ - "file" - ], - "created": "2022-10-30T20:24:24.000Z", - "dataset": "qnap_nas.log", - "ingested": "2022-01-02T09:51:24Z", - "kind": "event", - "provider": "conn-log", - "timezone": "+00:00", - "type": [ - "creation" - ] - }, - "file": { - "path": "path/to/files/New folder" - }, - "host": { - "name": "qnap-nas01" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.18.0.7:46086" - }, - "syslog": { - "priority": 30 - } - }, - "observer": { - "product": "NAS", - "type": "nas", - "vendor": "QNAP" - }, - "process": { - "name": "qulogd", - "pid": 14629 - }, - "qnap": { - "nas": { - "connection_type": "Samba", - "file": { - "path": "path/to/files/New folder" - } - } - }, - "related": { - "hosts": [ - "user-laptop" - ], - "ip": [ - "10.50.36.33" - ], - "user": [ - "admin.user" - ] - }, - "source": { - "address": "10.50.36.33", - "domain": "user-laptop", - "ip": "10.50.36.33" - }, - "tags": [ - "qnap-nas", - "forwarded" - ], - "user": { - "name": "admin.user" - } -} -``` - -**Exported fields** - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| group.name | Name of the group. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| qnap.nas.application | QNAP application that generated the event | keyword | -| qnap.nas.category | Sub-component of the QNAP application that generated the event | keyword | -| qnap.nas.connection_type | Connection type (ex. Samba) | keyword | -| qnap.nas.file.new_path | Renamed/Moved path of accessed resource | keyword | -| qnap.nas.file.path | Path of accessed resource | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | - diff --git a/packages/qnap_nas/1.2.1/img/logo.svg b/packages/qnap_nas/1.2.1/img/logo.svg deleted file mode 100755 index 8f7fb87bd5..0000000000 --- a/packages/qnap_nas/1.2.1/img/logo.svg +++ /dev/null @@ -1,36 +0,0 @@ - - - - - - - - - - - - - - - - - - - - diff --git a/packages/qnap_nas/1.2.1/kibana/dashboard/qnap_nas-32e28700-4b0c-11ec-b2cc-b9a3cc301b75.json b/packages/qnap_nas/1.2.1/kibana/dashboard/qnap_nas-32e28700-4b0c-11ec-b2cc-b9a3cc301b75.json deleted file mode 100755 index cb6ffb29f8..0000000000 --- a/packages/qnap_nas/1.2.1/kibana/dashboard/qnap_nas-32e28700-4b0c-11ec-b2cc-b9a3cc301b75.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true},\"gridData\":{\"h\":7,\"i\":\"08e193f5-7994-4a34-8572-62dd8fb527fd\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"08e193f5-7994-4a34-8572-62dd8fb527fd\",\"panelRefName\":\"panel_08e193f5-7994-4a34-8572-62dd8fb527fd\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":18,\"i\":\"41e893ff-a7e2-4146-af96-35cd7fc9b5b9\",\"w\":17,\"x\":0,\"y\":7},\"panelIndex\":\"41e893ff-a7e2-4146-af96-35cd7fc9b5b9\",\"panelRefName\":\"panel_41e893ff-a7e2-4146-af96-35cd7fc9b5b9\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"3bef5ad2-ec7d-4cd0-b8af-255533d30f62\",\"w\":15,\"x\":17,\"y\":7},\"panelIndex\":\"3bef5ad2-ec7d-4cd0-b8af-255533d30f62\",\"panelRefName\":\"panel_3bef5ad2-ec7d-4cd0-b8af-255533d30f62\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"table\":null,\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":1,\"width\":168.5},{\"colIndex\":0,\"width\":464.5}]}}},\"gridData\":{\"h\":18,\"i\":\"20d36c90-71af-4062-94da-0374c871667e\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"20d36c90-71af-4062-94da-0374c871667e\",\"panelRefName\":\"panel_20d36c90-71af-4062-94da-0374c871667e\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"e0abcb09-b900-4d29-9146-02ab3aca914e\",\"w\":48,\"x\":0,\"y\":25},\"panelIndex\":\"e0abcb09-b900-4d29-9146-02ab3aca914e\",\"panelRefName\":\"panel_e0abcb09-b900-4d29-9146-02ab3aca914e\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[QNAP NAS] Access Logs", - "version": 1 - }, - "coreMigrationVersion": "7.16.0", - "id": "qnap_nas-32e28700-4b0c-11ec-b2cc-b9a3cc301b75", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "qnap_nas-47e207a0-4b13-11ec-b2cc-b9a3cc301b75", - "name": "08e193f5-7994-4a34-8572-62dd8fb527fd:panel_08e193f5-7994-4a34-8572-62dd8fb527fd", - "type": "visualization" - }, - { - "id": "qnap_nas-ae17aa40-4b0c-11ec-b2cc-b9a3cc301b75", - "name": "41e893ff-a7e2-4146-af96-35cd7fc9b5b9:panel_41e893ff-a7e2-4146-af96-35cd7fc9b5b9", - "type": "visualization" - }, - { - "id": "qnap_nas-05c7ac80-4b0e-11ec-b2cc-b9a3cc301b75", - "name": "3bef5ad2-ec7d-4cd0-b8af-255533d30f62:panel_3bef5ad2-ec7d-4cd0-b8af-255533d30f62", - "type": "visualization" - }, - { - "id": "qnap_nas-d315c4c0-4b0d-11ec-b2cc-b9a3cc301b75", - "name": "20d36c90-71af-4062-94da-0374c871667e:panel_20d36c90-71af-4062-94da-0374c871667e", - "type": "visualization" - }, - { - "id": "qnap_nas-6cc17ac0-4b0d-11ec-b2cc-b9a3cc301b75", - "name": "e0abcb09-b900-4d29-9146-02ab3aca914e:panel_e0abcb09-b900-4d29-9146-02ab3aca914e", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/qnap_nas/1.2.1/kibana/search/qnap_nas-50acdec0-4b0c-11ec-b2cc-b9a3cc301b75.json b/packages/qnap_nas/1.2.1/kibana/search/qnap_nas-50acdec0-4b0c-11ec-b2cc-b9a3cc301b75.json deleted file mode 100755 index bdf45511e0..0000000000 --- a/packages/qnap_nas/1.2.1/kibana/search/qnap_nas-50acdec0-4b0c-11ec-b2cc-b9a3cc301b75.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":{\"query\":\"qnap_nas.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.dataset\":\"qnap_nas.log\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Discover [QNAP NAS]" - }, - "coreMigrationVersion": "7.16.0", - "id": "qnap_nas-50acdec0-4b0c-11ec-b2cc-b9a3cc301b75", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/qnap_nas/1.2.1/kibana/visualization/qnap_nas-05c7ac80-4b0e-11ec-b2cc-b9a3cc301b75.json b/packages/qnap_nas/1.2.1/kibana/visualization/qnap_nas-05c7ac80-4b0e-11ec-b2cc-b9a3cc301b75.json deleted file mode 100755 index 39a1ee9bde..0000000000 --- a/packages/qnap_nas/1.2.1/kibana/visualization/qnap_nas-05c7ac80-4b0e-11ec-b2cc-b9a3cc301b75.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Connection Types [QNAP NAS]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"qnap.nas.connection_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Connection Types [QNAP NAS]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "qnap_nas-05c7ac80-4b0e-11ec-b2cc-b9a3cc301b75", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "qnap_nas-50acdec0-4b0c-11ec-b2cc-b9a3cc301b75", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/qnap_nas/1.2.1/kibana/visualization/qnap_nas-47e207a0-4b13-11ec-b2cc-b9a3cc301b75.json b/packages/qnap_nas/1.2.1/kibana/visualization/qnap_nas-47e207a0-4b13-11ec-b2cc-b9a3cc301b75.json deleted file mode 100755 index 604b6c25b3..0000000000 --- a/packages/qnap_nas/1.2.1/kibana/visualization/qnap_nas-47e207a0-4b13-11ec-b2cc-b9a3cc301b75.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"qnap_nas.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"qnap_nas.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Controls [QNAP NAS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"source.ip\",\"id\":\"1637528635830\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Source IP\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"host.name\",\"id\":\"1637528676545\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"NAS Hostname\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"user.name\",\"id\":\"1637528892452\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"User\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"qnap.nas.connection_type\",\"id\":\"1637530638172\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Connection Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Controls [QNAP NAS]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "qnap_nas-47e207a0-4b13-11ec-b2cc-b9a3cc301b75", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_3_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/qnap_nas/1.2.1/kibana/visualization/qnap_nas-6cc17ac0-4b0d-11ec-b2cc-b9a3cc301b75.json b/packages/qnap_nas/1.2.1/kibana/visualization/qnap_nas-6cc17ac0-4b0d-11ec-b2cc-b9a3cc301b75.json deleted file mode 100755 index 774e1f6329..0000000000 --- a/packages/qnap_nas/1.2.1/kibana/visualization/qnap_nas-6cc17ac0-4b0d-11ec-b2cc-b9a3cc301b75.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.provider\",\"negate\":false,\"params\":{\"query\":\"conn-log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.provider\":\"conn-log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Event Actions over Time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y/d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"1w\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Event Actions over TIme\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "qnap_nas-6cc17ac0-4b0d-11ec-b2cc-b9a3cc301b75", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "qnap_nas-50acdec0-4b0c-11ec-b2cc-b9a3cc301b75", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/qnap_nas/1.2.1/kibana/visualization/qnap_nas-ae17aa40-4b0c-11ec-b2cc-b9a3cc301b75.json b/packages/qnap_nas/1.2.1/kibana/visualization/qnap_nas-ae17aa40-4b0c-11ec-b2cc-b9a3cc301b75.json deleted file mode 100755 index 9c8c81a1ea..0000000000 --- a/packages/qnap_nas/1.2.1/kibana/visualization/qnap_nas-ae17aa40-4b0c-11ec-b2cc-b9a3cc301b75.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"file\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "File Actions [QNAP NAS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"File Actions [QNAP NAS]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "qnap_nas-ae17aa40-4b0c-11ec-b2cc-b9a3cc301b75", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "qnap_nas-50acdec0-4b0c-11ec-b2cc-b9a3cc301b75", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/qnap_nas/1.2.1/kibana/visualization/qnap_nas-d315c4c0-4b0d-11ec-b2cc-b9a3cc301b75.json b/packages/qnap_nas/1.2.1/kibana/visualization/qnap_nas-d315c4c0-4b0d-11ec-b2cc-b9a3cc301b75.json deleted file mode 100755 index ec9de93ff2..0000000000 --- a/packages/qnap_nas/1.2.1/kibana/visualization/qnap_nas-d315c4c0-4b0d-11ec-b2cc-b9a3cc301b75.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.provider\",\"negate\":false,\"params\":{\"query\":\"conn-log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.provider\":\"conn-log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Accessed Files [QNAP NAS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"file.path\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top Accessed Files [QNAP NAS]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "qnap_nas-d315c4c0-4b0d-11ec-b2cc-b9a3cc301b75", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "qnap_nas-50acdec0-4b0c-11ec-b2cc-b9a3cc301b75", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/qnap_nas/1.2.1/manifest.yml b/packages/qnap_nas/1.2.1/manifest.yml deleted file mode 100755 index d92f5de321..0000000000 --- a/packages/qnap_nas/1.2.1/manifest.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: qnap_nas -title: QNAP NAS -version: 1.2.1 -release: ga -description: Collect logs from QNAP NAS devices with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: ["security"] -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -icons: - - src: /img/logo.svg - title: QNAP logo - size: 643x121 - type: image/svg+xml -policy_templates: - - name: qnap - title: QNAP NAS Event & Access logs - description: Collect logs from QNAP NAS - inputs: - - type: tcp - title: 'Collect logs from QNAP NAS via TCP' - description: 'Collecting logs from QNAP NAS via TCP' - - type: udp - title: 'Collect logs from QNAP NAS via UDP' - description: 'Collecting logs from QNAP NAS via UDP' -owner: - github: elastic/security-external-integrations diff --git a/packages/tomcat/1.4.1/changelog.yml b/packages/tomcat/1.4.1/changelog.yml deleted file mode 100755 index 67128a82ea..0000000000 --- a/packages/tomcat/1.4.1/changelog.yml +++ /dev/null @@ -1,106 +0,0 @@ -# newer versions go on top -- version: "1.4.1" - changes: - - description: update readme to include link to Tomcat documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3174 -- version: "1.4.0" - changes: - - description: Update to ECS 8.2.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2781 -- version: "1.3.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.3.0" - changes: - - description: Update to ECS 8.0.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2598 -- version: "1.2.1" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2235 -- version: "1.1.4" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2081 -- version: "1.1.3" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1990 -- version: "1.1.2" - changes: - - description: Fixed a bug that prevents the package from working in 7.16. - type: bugfix - link: https://github.com/elastic/integrations/pull/1882 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1856 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1681 -- version: "1.0.0" - changes: - - description: Release Tomcat as GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1620 -- version: "0.4.4" - changes: - - description: Requires version 7.14.1 of the stack - type: bugfix - link: https://github.com/elastic/integrations/pull/1541 -- version: "0.4.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1509 -- version: '0.4.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1422 -- version: "0.4.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.4.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.3.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1237 -- version: "0.2.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1106 -- version: "0.1.4" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/875 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/package-storage/pull/181 diff --git a/packages/tomcat/1.4.1/data_stream/log/agent/stream/stream.yml.hbs b/packages/tomcat/1.4.1/data_stream/log/agent/stream/stream.yml.hbs deleted file mode 100755 index 113133317e..0000000000 --- a/packages/tomcat/1.4.1/data_stream/log/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2767 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Apache" - product: "TomCat" - type: "Web" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup6, - ])); - - var hdr1 = match("HEADER#0:0001", "message", "%APACHETOMCAT-%{level}-%{messageid}: %{payload}", processor_chain([ - setc("header_id","0001"), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hostname->} %APACHETOMCAT- %{messageid}: %{payload}", processor_chain([ - setc("header_id","0002"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - ]); - - var msg1 = msg("ABCD", dup7); - - var msg2 = msg("BADMETHOD", dup7); - - var msg3 = msg("BADMTHD", dup7); - - var msg4 = msg("BDMTHD", dup7); - - var msg5 = msg("INDEX", dup7); - - var msg6 = msg("CFYZ", dup7); - - var msg7 = msg("CONNECT", dup7); - - var msg8 = msg("DELETE", dup7); - - var msg9 = msg("DETECT_METHOD_TYPE", dup7); - - var msg10 = msg("FGET", dup7); - - var msg11 = msg("GET", dup7); - - var msg12 = msg("get", dup7); - - var msg13 = msg("HEAD", dup7); - - var msg14 = msg("id", dup7); - - var msg15 = msg("LOCK", dup7); - - var msg16 = msg("MKCOL", dup7); - - var msg17 = msg("NCIRCLE", dup7); - - var msg18 = msg("OPTIONS", dup7); - - var msg19 = msg("POST", dup7); - - var msg20 = msg("PRONECT", dup7); - - var msg21 = msg("PROPFIND", dup7); - - var msg22 = msg("PUT", dup7); - - var msg23 = msg("QUALYS", dup7); - - var msg24 = msg("SEARCH", dup7); - - var msg25 = msg("TRACK", dup7); - - var msg26 = msg("TRACE", dup7); - - var msg27 = msg("uGET", dup7); - - var msg28 = msg("null", dup7); - - var msg29 = msg("rndmmtd", dup7); - - var msg30 = msg("RNDMMTD", dup7); - - var msg31 = msg("asdf", dup7); - - var msg32 = msg("DEBUG", dup7); - - var msg33 = msg("COOK", dup7); - - var msg34 = msg("nGET", dup7); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "ABCD": msg1, - "BADMETHOD": msg2, - "BADMTHD": msg3, - "BDMTHD": msg4, - "CFYZ": msg6, - "CONNECT": msg7, - "COOK": msg33, - "DEBUG": msg32, - "DELETE": msg8, - "DETECT_METHOD_TYPE": msg9, - "FGET": msg10, - "GET": msg11, - "HEAD": msg13, - "INDEX": msg5, - "LOCK": msg15, - "MKCOL": msg16, - "NCIRCLE": msg17, - "OPTIONS": msg18, - "POST": msg19, - "PRONECT": msg20, - "PROPFIND": msg21, - "PUT": msg22, - "QUALYS": msg23, - "RNDMMTD": msg30, - "SEARCH": msg24, - "TRACE": msg26, - "TRACK": msg25, - "asdf": msg31, - "get": msg12, - "id": msg14, - "nGET": msg34, - "null": msg28, - "rndmmtd": msg29, - "uGET": msg27, - }), - ]); - - var part1 = match("MESSAGE#0:ABCD", "nwparser.payload", "%{saddr}||%{fld5}||%{username}||[%{fld7->} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup6, - ])); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/tomcat/1.4.1/data_stream/log/agent/stream/tcp.yml.hbs b/packages/tomcat/1.4.1/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index f0f616d366..0000000000 --- a/packages/tomcat/1.4.1/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,2764 +0,0 @@ -tcp: -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Apache" - product: "TomCat" - type: "Web" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup6, - ])); - - var hdr1 = match("HEADER#0:0001", "message", "%APACHETOMCAT-%{level}-%{messageid}: %{payload}", processor_chain([ - setc("header_id","0001"), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hostname->} %APACHETOMCAT- %{messageid}: %{payload}", processor_chain([ - setc("header_id","0002"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - ]); - - var msg1 = msg("ABCD", dup7); - - var msg2 = msg("BADMETHOD", dup7); - - var msg3 = msg("BADMTHD", dup7); - - var msg4 = msg("BDMTHD", dup7); - - var msg5 = msg("INDEX", dup7); - - var msg6 = msg("CFYZ", dup7); - - var msg7 = msg("CONNECT", dup7); - - var msg8 = msg("DELETE", dup7); - - var msg9 = msg("DETECT_METHOD_TYPE", dup7); - - var msg10 = msg("FGET", dup7); - - var msg11 = msg("GET", dup7); - - var msg12 = msg("get", dup7); - - var msg13 = msg("HEAD", dup7); - - var msg14 = msg("id", dup7); - - var msg15 = msg("LOCK", dup7); - - var msg16 = msg("MKCOL", dup7); - - var msg17 = msg("NCIRCLE", dup7); - - var msg18 = msg("OPTIONS", dup7); - - var msg19 = msg("POST", dup7); - - var msg20 = msg("PRONECT", dup7); - - var msg21 = msg("PROPFIND", dup7); - - var msg22 = msg("PUT", dup7); - - var msg23 = msg("QUALYS", dup7); - - var msg24 = msg("SEARCH", dup7); - - var msg25 = msg("TRACK", dup7); - - var msg26 = msg("TRACE", dup7); - - var msg27 = msg("uGET", dup7); - - var msg28 = msg("null", dup7); - - var msg29 = msg("rndmmtd", dup7); - - var msg30 = msg("RNDMMTD", dup7); - - var msg31 = msg("asdf", dup7); - - var msg32 = msg("DEBUG", dup7); - - var msg33 = msg("COOK", dup7); - - var msg34 = msg("nGET", dup7); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "ABCD": msg1, - "BADMETHOD": msg2, - "BADMTHD": msg3, - "BDMTHD": msg4, - "CFYZ": msg6, - "CONNECT": msg7, - "COOK": msg33, - "DEBUG": msg32, - "DELETE": msg8, - "DETECT_METHOD_TYPE": msg9, - "FGET": msg10, - "GET": msg11, - "HEAD": msg13, - "INDEX": msg5, - "LOCK": msg15, - "MKCOL": msg16, - "NCIRCLE": msg17, - "OPTIONS": msg18, - "POST": msg19, - "PRONECT": msg20, - "PROPFIND": msg21, - "PUT": msg22, - "QUALYS": msg23, - "RNDMMTD": msg30, - "SEARCH": msg24, - "TRACE": msg26, - "TRACK": msg25, - "asdf": msg31, - "get": msg12, - "id": msg14, - "nGET": msg34, - "null": msg28, - "rndmmtd": msg29, - "uGET": msg27, - }), - ]); - - var part1 = match("MESSAGE#0:ABCD", "nwparser.payload", "%{saddr}||%{fld5}||%{username}||[%{fld7->} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup6, - ])); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/tomcat/1.4.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/tomcat/1.4.1/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 46606d1ad7..0000000000 --- a/packages/tomcat/1.4.1/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,2764 +0,0 @@ -udp: -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Apache" - product: "TomCat" - type: "Web" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup6, - ])); - - var hdr1 = match("HEADER#0:0001", "message", "%APACHETOMCAT-%{level}-%{messageid}: %{payload}", processor_chain([ - setc("header_id","0001"), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hostname->} %APACHETOMCAT- %{messageid}: %{payload}", processor_chain([ - setc("header_id","0002"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - ]); - - var msg1 = msg("ABCD", dup7); - - var msg2 = msg("BADMETHOD", dup7); - - var msg3 = msg("BADMTHD", dup7); - - var msg4 = msg("BDMTHD", dup7); - - var msg5 = msg("INDEX", dup7); - - var msg6 = msg("CFYZ", dup7); - - var msg7 = msg("CONNECT", dup7); - - var msg8 = msg("DELETE", dup7); - - var msg9 = msg("DETECT_METHOD_TYPE", dup7); - - var msg10 = msg("FGET", dup7); - - var msg11 = msg("GET", dup7); - - var msg12 = msg("get", dup7); - - var msg13 = msg("HEAD", dup7); - - var msg14 = msg("id", dup7); - - var msg15 = msg("LOCK", dup7); - - var msg16 = msg("MKCOL", dup7); - - var msg17 = msg("NCIRCLE", dup7); - - var msg18 = msg("OPTIONS", dup7); - - var msg19 = msg("POST", dup7); - - var msg20 = msg("PRONECT", dup7); - - var msg21 = msg("PROPFIND", dup7); - - var msg22 = msg("PUT", dup7); - - var msg23 = msg("QUALYS", dup7); - - var msg24 = msg("SEARCH", dup7); - - var msg25 = msg("TRACK", dup7); - - var msg26 = msg("TRACE", dup7); - - var msg27 = msg("uGET", dup7); - - var msg28 = msg("null", dup7); - - var msg29 = msg("rndmmtd", dup7); - - var msg30 = msg("RNDMMTD", dup7); - - var msg31 = msg("asdf", dup7); - - var msg32 = msg("DEBUG", dup7); - - var msg33 = msg("COOK", dup7); - - var msg34 = msg("nGET", dup7); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "ABCD": msg1, - "BADMETHOD": msg2, - "BADMTHD": msg3, - "BDMTHD": msg4, - "CFYZ": msg6, - "CONNECT": msg7, - "COOK": msg33, - "DEBUG": msg32, - "DELETE": msg8, - "DETECT_METHOD_TYPE": msg9, - "FGET": msg10, - "GET": msg11, - "HEAD": msg13, - "INDEX": msg5, - "LOCK": msg15, - "MKCOL": msg16, - "NCIRCLE": msg17, - "OPTIONS": msg18, - "POST": msg19, - "PRONECT": msg20, - "PROPFIND": msg21, - "PUT": msg22, - "QUALYS": msg23, - "RNDMMTD": msg30, - "SEARCH": msg24, - "TRACE": msg26, - "TRACK": msg25, - "asdf": msg31, - "get": msg12, - "id": msg14, - "nGET": msg34, - "null": msg28, - "rndmmtd": msg29, - "uGET": msg27, - }), - ]); - - var part1 = match("MESSAGE#0:ABCD", "nwparser.payload", "%{saddr}||%{fld5}||%{username}||[%{fld7->} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup6, - ])); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/tomcat/1.4.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/tomcat/1.4.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2acd0481e2..0000000000 --- a/packages/tomcat/1.4.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- -description: Pipeline for Apache Tomcat - -processors: - - set: - field: ecs.version - value: '8.2.0' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/tomcat/1.4.1/data_stream/log/fields/base-fields.yml b/packages/tomcat/1.4.1/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 423a2e20de..0000000000 --- a/packages/tomcat/1.4.1/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: tomcat -- name: event.dataset - type: constant_keyword - description: Event dataset - value: tomcat.log diff --git a/packages/tomcat/1.4.1/data_stream/log/fields/ecs.yml b/packages/tomcat/1.4.1/data_stream/log/fields/ecs.yml deleted file mode 100755 index ff203e3870..0000000000 --- a/packages/tomcat/1.4.1/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,596 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: Unique container id. - name: container.id - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: url.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: user_agent.os.type - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/tomcat/1.4.1/data_stream/log/fields/fields.yml b/packages/tomcat/1.4.1/data_stream/log/fields/fields.yml deleted file mode 100755 index 8cadeee90a..0000000000 --- a/packages/tomcat/1.4.1/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,1766 +0,0 @@ -- name: rsa - type: group - fields: - - name: internal - type: group - fields: - - name: msg - type: keyword - description: This key is used to capture the raw message that comes into the Log Decoder - - name: messageid - type: keyword - - name: event_desc - type: keyword - - name: message - type: keyword - description: This key captures the contents of instant messages - - name: time - type: date - description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - - name: level - type: long - description: Deprecated key defined only in table map. - - name: msg_id - type: keyword - description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: msg_vid - type: keyword - description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: data - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - type: keyword - description: Deprecated key defined only in table map. - - name: resource - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - type: keyword - description: Deprecated key defined only in table map. - - name: statement - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - type: keyword - description: Deprecated key defined only in table map. - - name: entry - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - type: keyword - description: Deprecated key defined only in table map. - - name: inode - type: long - description: Deprecated key defined only in table map. - - name: resource_class - type: keyword - description: Deprecated key defined only in table map. - - name: dead - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - type: keyword - description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: feed_name - type: keyword - description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: cid - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_class - type: keyword - description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_group - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - type: keyword - description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - type: keyword - description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type_id - type: long - description: Deprecated key defined only in table map. - - name: did - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: entropy_req - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: entropy_res - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: event_name - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - type: keyword - description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: forward_ip - type: ip - description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - type: ip - description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: header_id - type: keyword - description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_cid - type: keyword - description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_ctime - type: date - description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - type: long - description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - type: long - description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: mcbc_res - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: medium - type: long - description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - type: keyword - description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: payload_req - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: payload_res - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: process_vid_dst - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - - name: process_vid_src - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - - name: rid - type: long - description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: session_split - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - type: keyword - description: Deprecated key defined only in table map. - - name: size - type: long - description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: sourcefile - type: keyword - description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: ubc_res - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: word - type: keyword - description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - - name: time - type: group - fields: - - name: event_time - type: date - description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - - name: duration_time - type: double - description: This key is used to capture the normalized duration/lifetime in seconds. - - name: event_time_str - type: keyword - description: This key is used to capture the incomplete time mentioned in a session as a string - - name: starttime - type: date - description: This key is used to capture the Start time mentioned in a session in a standard form - - name: month - type: keyword - - name: day - type: keyword - - name: endtime - type: date - description: This key is used to capture the End time mentioned in a session in a standard form - - name: timezone - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - type: keyword - description: A text string version of the duration - - name: date - type: keyword - - name: year - type: keyword - - name: recorded_time - type: date - description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - - name: datetime - type: keyword - - name: effective_time - type: date - description: This key is the effective time referenced by an individual event in a Standard Timestamp format - - name: expire_time - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - type: keyword - description: Deprecated, use duration.time - - name: hour - type: keyword - - name: min - type: keyword - - name: timestamp - type: keyword - - name: event_queue_time - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - type: keyword - - name: tzone - type: keyword - - name: eventtime - type: keyword - - name: gmtdate - type: keyword - - name: gmttime - type: keyword - - name: p_date - type: keyword - - name: p_month - type: keyword - - name: p_time - type: keyword - - name: p_time2 - type: keyword - - name: p_year - type: keyword - - name: expire_time_str - type: keyword - description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - - name: stamp - type: date - description: Deprecated key defined only in table map. - - name: misc - type: group - fields: - - name: action - type: keyword - - name: result - type: keyword - description: This key is used to capture the outcome/result string value of an action in a session. - - name: severity - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - type: keyword - description: This key captures the event category type as specified by the event source. - - name: reference_id - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - type: keyword - description: This key captures Version of the application or OS which is generating the event. - - name: disposition - type: keyword - description: This key captures the The end state of an action. - - name: result_code - type: keyword - description: This key is used to capture the outcome/result numeric value of an action in a session - - name: category - type: keyword - description: This key is used to capture the category of an event given by the vendor in the session - - name: obj_name - type: keyword - description: This is used to capture name of object - - name: obj_type - type: keyword - description: This is used to capture type of object - - name: event_source - type: keyword - description: "This key captures Source of the event that’s not a hostname" - - name: log_session_id - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - type: keyword - description: This key captures the Group Name value - - name: policy_name - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - type: keyword - description: This key captures the Rule Name - - name: context - type: keyword - description: This key captures Information which adds additional context to the event. - - name: change_new - type: keyword - description: "This key is used to capture the new values of the attribute that’s changing in a session" - - name: space - type: keyword - - name: client - type: keyword - description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - type: keyword - - name: msgIdPart2 - type: keyword - - name: change_old - type: keyword - description: "This key is used to capture the old value of the attribute that’s changing in a session" - - name: operation_id - type: keyword - description: An alert number or operation number. The values should be unique and non-repeating. - - name: event_state - type: keyword - description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - - name: group_object - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - type: keyword - description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - - name: rule - type: keyword - description: This key captures the Rule number - - name: device_name - type: keyword - description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - - name: param - type: keyword - description: This key is the parameters passed as part of a command or application, etc. - - name: change_attrib - type: keyword - description: "This key is used to capture the name of the attribute that’s changing in a session" - - name: event_computer - type: keyword - description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - - name: reference_id1 - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - type: keyword - description: This key captures the Name of the event log - - name: OS - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - type: keyword - - name: filter - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - type: keyword - description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - - name: event_user - type: keyword - description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - - name: virusname - type: keyword - description: This key captures the name of the virus - - name: content_type - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - type: keyword - description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - - name: vsys - type: keyword - description: This key captures Virtual System Name - - name: connection_id - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - - name: sensor - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - - name: sig_id - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - type: keyword - description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - - name: rule_group - type: keyword - description: This key captures the Rule group name - - name: risk_num - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - type: keyword - description: This key is used to capture a Linked (Related) Session ID from the session directly - - name: comp_version - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - type: keyword - description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - - name: risk - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - type: keyword - - name: reason - type: keyword - - name: status - type: keyword - - name: mail_id - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - type: keyword - - name: p_msgid - type: keyword - - name: data_type - type: keyword - - name: msgIdPart4 - type: keyword - - name: error - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - type: keyword - - name: listnum - type: keyword - description: This key is used to capture listname or listnumber, primarily for collecting access-list - - name: ntype - type: keyword - - name: observed_val - type: keyword - description: This key captures the Value observed (from the perspective of the device generating the log). - - name: policy_value - type: keyword - description: This key captures the contents of the policy. This contains details about the policy - - name: pool_name - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - type: keyword - description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - - name: count - type: keyword - - name: number - type: keyword - - name: sigcat - type: keyword - - name: type - type: keyword - - name: comments - type: keyword - description: Comment information provided in the log message - - name: doc_number - type: long - description: This key captures File Identification number - - name: expected_val - type: keyword - description: This key captures the Value expected (from the perspective of the device generating the log). - - name: job_num - type: keyword - description: This key captures the Job Number - - name: spi_dst - type: keyword - description: Destination SPI Index - - name: spi_src - type: keyword - description: Source SPI Index - - name: code - type: keyword - - name: agent_id - type: keyword - description: This key is used to capture agent id - - name: message_body - type: keyword - description: This key captures the The contents of the message body. - - name: phone - type: keyword - - name: sig_id_str - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - type: keyword - - name: misc - type: keyword - - name: name - type: keyword - - name: cpu - type: long - description: This key is the CPU time used in the execution of the event being recorded. - - name: event_desc - type: keyword - description: This key is used to capture a description of an event available directly or inferred - - name: sig_id1 - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - - name: im_buddyid - type: keyword - - name: im_client - type: keyword - - name: im_userid - type: keyword - - name: pid - type: keyword - - name: priority - type: keyword - - name: context_subject - type: keyword - description: This key is to be used in an audit context where the subject is the object being identified - - name: context_target - type: keyword - - name: cve - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - - name: fcatnum - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - type: keyword - description: This key captures the Parent Node Name. Must be related to node variable. - - name: risk_info - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - type: long - description: This key describes the type of service - - name: vm_target - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - type: keyword - description: This key captures Workspace Description - - name: command - type: keyword - - name: event_category - type: keyword - - name: facilityname - type: keyword - - name: forensic_info - type: keyword - - name: jobname - type: keyword - - name: mode - type: keyword - - name: policy - type: keyword - - name: policy_waiver - type: keyword - - name: second - type: keyword - - name: space1 - type: keyword - - name: subcategory - type: keyword - - name: tbdstr2 - type: keyword - - name: alert_id - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - type: keyword - description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - - name: checksum_src - type: keyword - description: This key is used to capture the checksum or hash of the source entity such as a file or process. - - name: fresult - type: long - description: This key captures the Filter Result - - name: payload_dst - type: keyword - description: This key is used to capture destination payload - - name: payload_src - type: keyword - description: This key is used to capture source payload - - name: pool_id - type: keyword - description: This key captures the identifier (typically numeric field) of a resource pool - - name: process_id_val - type: keyword - description: This key is a failure key for Process ID when it is not an integer value - - name: risk_num_comm - type: double - description: This key captures Risk Number Community - - name: risk_num_next - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - type: keyword - description: SNMP Object Identifier - - name: sql - type: keyword - description: This key captures the SQL query - - name: vuln_ref - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - type: keyword - - name: acl_op - type: keyword - - name: acl_pos - type: keyword - - name: acl_table - type: keyword - - name: admin - type: keyword - - name: alarm_id - type: keyword - - name: alarmname - type: keyword - - name: app_id - type: keyword - - name: audit - type: keyword - - name: audit_object - type: keyword - - name: auditdata - type: keyword - - name: benchmark - type: keyword - - name: bypass - type: keyword - - name: cache - type: keyword - - name: cache_hit - type: keyword - - name: cefversion - type: keyword - - name: cfg_attr - type: keyword - - name: cfg_obj - type: keyword - - name: cfg_path - type: keyword - - name: changes - type: keyword - - name: client_ip - type: keyword - - name: clustermembers - type: keyword - - name: cn_acttimeout - type: keyword - - name: cn_asn_src - type: keyword - - name: cn_bgpv4nxthop - type: keyword - - name: cn_ctr_dst_code - type: keyword - - name: cn_dst_tos - type: keyword - - name: cn_dst_vlan - type: keyword - - name: cn_engine_id - type: keyword - - name: cn_engine_type - type: keyword - - name: cn_f_switch - type: keyword - - name: cn_flowsampid - type: keyword - - name: cn_flowsampintv - type: keyword - - name: cn_flowsampmode - type: keyword - - name: cn_inacttimeout - type: keyword - - name: cn_inpermbyts - type: keyword - - name: cn_inpermpckts - type: keyword - - name: cn_invalid - type: keyword - - name: cn_ip_proto_ver - type: keyword - - name: cn_ipv4_ident - type: keyword - - name: cn_l_switch - type: keyword - - name: cn_log_did - type: keyword - - name: cn_log_rid - type: keyword - - name: cn_max_ttl - type: keyword - - name: cn_maxpcktlen - type: keyword - - name: cn_min_ttl - type: keyword - - name: cn_minpcktlen - type: keyword - - name: cn_mpls_lbl_1 - type: keyword - - name: cn_mpls_lbl_10 - type: keyword - - name: cn_mpls_lbl_2 - type: keyword - - name: cn_mpls_lbl_3 - type: keyword - - name: cn_mpls_lbl_4 - type: keyword - - name: cn_mpls_lbl_5 - type: keyword - - name: cn_mpls_lbl_6 - type: keyword - - name: cn_mpls_lbl_7 - type: keyword - - name: cn_mpls_lbl_8 - type: keyword - - name: cn_mpls_lbl_9 - type: keyword - - name: cn_mplstoplabel - type: keyword - - name: cn_mplstoplabip - type: keyword - - name: cn_mul_dst_byt - type: keyword - - name: cn_mul_dst_pks - type: keyword - - name: cn_muligmptype - type: keyword - - name: cn_sampalgo - type: keyword - - name: cn_sampint - type: keyword - - name: cn_seqctr - type: keyword - - name: cn_spackets - type: keyword - - name: cn_src_tos - type: keyword - - name: cn_src_vlan - type: keyword - - name: cn_sysuptime - type: keyword - - name: cn_template_id - type: keyword - - name: cn_totbytsexp - type: keyword - - name: cn_totflowexp - type: keyword - - name: cn_totpcktsexp - type: keyword - - name: cn_unixnanosecs - type: keyword - - name: cn_v6flowlabel - type: keyword - - name: cn_v6optheaders - type: keyword - - name: comp_class - type: keyword - - name: comp_name - type: keyword - - name: comp_rbytes - type: keyword - - name: comp_sbytes - type: keyword - - name: cpu_data - type: keyword - - name: criticality - type: keyword - - name: cs_agency_dst - type: keyword - - name: cs_analyzedby - type: keyword - - name: cs_av_other - type: keyword - - name: cs_av_primary - type: keyword - - name: cs_av_secondary - type: keyword - - name: cs_bgpv6nxthop - type: keyword - - name: cs_bit9status - type: keyword - - name: cs_context - type: keyword - - name: cs_control - type: keyword - - name: cs_data - type: keyword - - name: cs_datecret - type: keyword - - name: cs_dst_tld - type: keyword - - name: cs_eth_dst_ven - type: keyword - - name: cs_eth_src_ven - type: keyword - - name: cs_event_uuid - type: keyword - - name: cs_filetype - type: keyword - - name: cs_fld - type: keyword - - name: cs_if_desc - type: keyword - - name: cs_if_name - type: keyword - - name: cs_ip_next_hop - type: keyword - - name: cs_ipv4dstpre - type: keyword - - name: cs_ipv4srcpre - type: keyword - - name: cs_lifetime - type: keyword - - name: cs_log_medium - type: keyword - - name: cs_loginname - type: keyword - - name: cs_modulescore - type: keyword - - name: cs_modulesign - type: keyword - - name: cs_opswatresult - type: keyword - - name: cs_payload - type: keyword - - name: cs_registrant - type: keyword - - name: cs_registrar - type: keyword - - name: cs_represult - type: keyword - - name: cs_rpayload - type: keyword - - name: cs_sampler_name - type: keyword - - name: cs_sourcemodule - type: keyword - - name: cs_streams - type: keyword - - name: cs_targetmodule - type: keyword - - name: cs_v6nxthop - type: keyword - - name: cs_whois_server - type: keyword - - name: cs_yararesult - type: keyword - - name: description - type: keyword - - name: devvendor - type: keyword - - name: distance - type: keyword - - name: dstburb - type: keyword - - name: edomain - type: keyword - - name: edomaub - type: keyword - - name: euid - type: keyword - - name: facility - type: keyword - - name: finterface - type: keyword - - name: flags - type: keyword - - name: gaddr - type: keyword - - name: id3 - type: keyword - - name: im_buddyname - type: keyword - - name: im_croomid - type: keyword - - name: im_croomtype - type: keyword - - name: im_members - type: keyword - - name: im_username - type: keyword - - name: ipkt - type: keyword - - name: ipscat - type: keyword - - name: ipspri - type: keyword - - name: latitude - type: keyword - - name: linenum - type: keyword - - name: list_name - type: keyword - - name: load_data - type: keyword - - name: location_floor - type: keyword - - name: location_mark - type: keyword - - name: log_id - type: keyword - - name: log_type - type: keyword - - name: logid - type: keyword - - name: logip - type: keyword - - name: logname - type: keyword - - name: longitude - type: keyword - - name: lport - type: keyword - - name: mbug_data - type: keyword - - name: misc_name - type: keyword - - name: msg_type - type: keyword - - name: msgid - type: keyword - - name: netsessid - type: keyword - - name: num - type: keyword - - name: number1 - type: keyword - - name: number2 - type: keyword - - name: nwwn - type: keyword - - name: object - type: keyword - - name: operation - type: keyword - - name: opkt - type: keyword - - name: orig_from - type: keyword - - name: owner_id - type: keyword - - name: p_action - type: keyword - - name: p_filter - type: keyword - - name: p_group_object - type: keyword - - name: p_id - type: keyword - - name: p_msgid1 - type: keyword - - name: p_msgid2 - type: keyword - - name: p_result1 - type: keyword - - name: password_chg - type: keyword - - name: password_expire - type: keyword - - name: permgranted - type: keyword - - name: permwanted - type: keyword - - name: pgid - type: keyword - - name: policyUUID - type: keyword - - name: prog_asp_num - type: keyword - - name: program - type: keyword - - name: real_data - type: keyword - - name: rec_asp_device - type: keyword - - name: rec_asp_num - type: keyword - - name: rec_library - type: keyword - - name: recordnum - type: keyword - - name: ruid - type: keyword - - name: sburb - type: keyword - - name: sdomain_fld - type: keyword - - name: sec - type: keyword - - name: sensorname - type: keyword - - name: seqnum - type: keyword - - name: session - type: keyword - - name: sessiontype - type: keyword - - name: sigUUID - type: keyword - - name: spi - type: keyword - - name: srcburb - type: keyword - - name: srcdom - type: keyword - - name: srcservice - type: keyword - - name: state - type: keyword - - name: status1 - type: keyword - - name: svcno - type: keyword - - name: system - type: keyword - - name: tbdstr1 - type: keyword - - name: tgtdom - type: keyword - - name: tgtdomain - type: keyword - - name: threshold - type: keyword - - name: type1 - type: keyword - - name: udb_class - type: keyword - - name: url_fld - type: keyword - - name: user_div - type: keyword - - name: userid - type: keyword - - name: username_fld - type: keyword - - name: utcstamp - type: keyword - - name: v_instafname - type: keyword - - name: virt_data - type: keyword - - name: vpnid - type: keyword - - name: autorun_type - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - type: long - description: Valid Credit Card Numbers only - - name: content - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - type: long - description: Employee Identification Numbers only - - name: found - type: keyword - description: This is used to capture the results of regex match - - name: language - type: keyword - description: This is used to capture list of languages the client support and what it prefers - - name: lifetime - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - type: keyword - description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: match - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - type: keyword - description: This key captures the command line/launch argument of the target process or file - - name: param_src - type: keyword - description: This key captures source parameter - - name: search_text - type: keyword - description: This key captures the Search Text used - - name: sig_name - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - type: keyword - description: SNMP set request value - - name: streams - type: long - description: This key captures number of streams in session - - name: db - type: group - fields: - - name: index - type: keyword - description: This key captures IndexID of the index. - - name: instance - type: keyword - description: This key is used to capture the database server instance name - - name: database - type: keyword - description: This key is used to capture the name of a database or an instance as seen in a session - - name: transact_id - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - type: keyword - description: This key is used to capture the table name - - name: db_id - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - type: long - description: This key captures the process id of a connection with database server - - name: lread - type: long - description: This key is used for the number of logical reads - - name: lwrite - type: long - description: This key is used for the number of logical writes - - name: pread - type: long - description: This key is used for the number of physical writes - - name: network - type: group - fields: - - name: alias_host - type: keyword - description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - - name: domain - type: keyword - - name: host_dst - type: keyword - description: "This key should only be used when it’s a Destination Hostname" - - name: network_service - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - type: keyword - description: This key should be used when the source or destination context of an interface is not clear - - name: network_port - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - type: keyword - description: "This key should only be used when it’s a Source Interface" - - name: dinterface - type: keyword - description: "This key should only be used when it’s a Destination Interface" - - name: vlan - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - type: keyword - description: "This key should only be used when it’s a Source Zone." - - name: zone - type: keyword - description: This key should be used when the source or destination context of a Zone is not clear - - name: zone_dst - type: keyword - description: "This key should only be used when it’s a Destination Zone." - - name: gateway - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - type: long - description: This key is used to capture the ICMP type only - - name: mask - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - type: keyword - description: This key is used for Destionation Device network mask - - name: port - type: long - description: This key should only be used to capture a Network Port when the directionality is not clear - - name: smask - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - type: keyword - description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - - name: paddr - type: ip - description: Deprecated - - name: faddr - type: keyword - - name: lhost - type: keyword - - name: origin - type: keyword - - name: remote_domain_id - type: keyword - - name: addr - type: keyword - - name: dns_a_record - type: keyword - - name: dns_ptr_record - type: keyword - - name: fhost - type: keyword - - name: fport - type: keyword - - name: laddr - type: keyword - - name: linterface - type: keyword - - name: phost - type: keyword - - name: ad_computer_dst - type: keyword - description: Deprecated, use host.dst - - name: eth_type - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - - name: ip_proto - type: long - description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - - name: dns_cname_record - type: keyword - - name: dns_id - type: keyword - - name: dns_opcode - type: keyword - - name: dns_resp - type: keyword - - name: dns_type - type: keyword - - name: domain1 - type: keyword - - name: host_type - type: keyword - - name: packet_length - type: keyword - - name: host_orig - type: keyword - description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - - name: rpayload - type: keyword - description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - - name: vlan_name - type: keyword - description: This key should only be used to capture the name of the Virtual LAN - - name: investigations - type: group - fields: - - name: ec_activity - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - type: long - description: This key captures the Event category number - - name: event_cat_name - type: keyword - description: This key captures the event category name corresponding to the event cat code - - name: event_vcat - type: keyword - description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - type: keyword - description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - - name: analysis_service - type: keyword - description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - - name: analysis_session - type: keyword - description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - - name: boc - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - type: keyword - description: This used to capture investigation category - - name: inv_context - type: keyword - description: This used to capture investigation context - - name: ioc - type: keyword - description: This is key capture indicator of compromise - - name: counters - type: group - fields: - - name: dclass_c1 - type: long - description: This is a generic counter key that should be used with the label dclass.c1.str only - - name: dclass_c2 - type: long - description: This is a generic counter key that should be used with the label dclass.c2.str only - - name: event_counter - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r1.str only - - name: dclass_c3 - type: long - description: This is a generic counter key that should be used with the label dclass.c3.str only - - name: dclass_c1_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c1 only - - name: dclass_c2_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c2 only - - name: dclass_r1_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r1 only - - name: dclass_r2 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r2.str only - - name: dclass_c3_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c3 only - - name: dclass_r3 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r3.str only - - name: dclass_r2_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r2 only - - name: dclass_r3_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r3 only - - name: identity - type: group - fields: - - name: auth_method - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - type: keyword - description: This key is used to capture the user profile - - name: accesses - type: keyword - description: This key is used to capture actual privileges used in accessing an object - - name: realm - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - - name: org - type: keyword - description: This key captures the User organization - - name: dn_dst - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - - name: firstname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: lastname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: user_dept - type: keyword - description: User's Department Names only - - name: user_sid_src - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - type: keyword - description: This key is the Federated Service Provider. This is the application requesting authentication. - - name: federated_idp - type: keyword - description: This key is the federated Identity Provider. This is the server providing the authentication. - - name: logon_type_desc - type: keyword - description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - - name: middlename - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: password - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" - - name: ldap_query - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - type: keyword - description: This is used to capture username the process or service is running as, the author of the task - - name: service_account - type: keyword - description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - - name: email - type: group - fields: - - name: email_dst - type: keyword - description: This key is used to capture the Destination email address only, when the destination context is not clear use email - - name: email_src - type: keyword - description: This key is used to capture the source email address only, when the source context is not clear use email - - name: subject - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - type: keyword - description: This key is used to capture a generic email address where the source or destination context is not clear - - name: trans_from - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - type: keyword - description: Deprecated key defined only in table map. - - name: file - type: group - fields: - - name: privilege - type: keyword - description: Deprecated, use permissions - - name: attachment - type: keyword - description: This key captures the attachment file name - - name: filesystem - type: keyword - - name: binary - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - type: keyword - description: This is used to capture name of the parent filename, the file which performed the action - - name: filename_tmp - type: keyword - - name: directory_dst - type: keyword - description: This key is used to capture the directory of the target process or file - - name: directory_src - type: keyword - description: This key is used to capture the directory of the source process or file - - name: file_entropy - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - type: keyword - description: This is used to capture name of the task - - name: web - type: group - fields: - - name: fqdn - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - type: keyword - - name: reputation_num - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - type: keyword - description: Web referer's domain - - name: web_ref_query - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - type: keyword - - name: web_ref_page - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - type: keyword - - name: cn_rpackets - type: keyword - - name: urlpage - type: keyword - - name: urlroot - type: keyword - - name: p_url - type: keyword - - name: p_user_agent - type: keyword - - name: p_web_cookie - type: keyword - - name: p_web_method - type: keyword - - name: p_web_referer - type: keyword - - name: web_extension_tmp - type: keyword - - name: web_page - type: keyword - - name: threat - type: group - fields: - - name: threat_category - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of alert - - name: threat_desc - type: keyword - description: This key is used to capture the threat description from the session directly or inferred - - name: alert - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - type: keyword - description: This key is used to capture source of the threat - - name: crypto - type: group - fields: - - name: crypto - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key only - - name: cipher_src - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - type: keyword - description: IKE negotiation phase. - - name: scheme - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - type: keyword - description: "This key is for Encryption peer’s identity" - - name: sig_type - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - type: keyword - - name: cert_host_name - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - type: keyword - description: Deprecated, use version - - name: d_certauth - type: keyword - - name: s_certauth - type: keyword - - name: ike_cookie1 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase One" - - name: ike_cookie2 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase Two" - - name: cert_checksum - type: keyword - - name: cert_host_cat - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - type: keyword - description: Deprecated, use version - - name: cert_keysize - type: keyword - - name: cert_username - type: keyword - - name: https_insact - type: keyword - - name: https_valid - type: keyword - - name: cert_ca - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - type: group - fields: - - name: wlan_ssid - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - type: long - description: This is used to capture the channel names - - name: wlan_name - type: keyword - description: This key captures either WLAN number/name - - name: storage - type: group - fields: - - name: disk_volume - type: keyword - description: A unique name assigned to logical units (volumes) within a physical disk - - name: lun - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - type: group - fields: - - name: org_dst - type: keyword - description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - - name: org_src - type: keyword - description: This is used to capture the source organization based on the GEOPIP Maxmind database. - - name: healthcare - type: group - fields: - - name: patient_fname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_id - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_mname - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: endpoint - type: group - fields: - - name: host_state - type: keyword - description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - - name: registry_key - type: keyword - description: This key captures the path to the registry key - - name: registry_value - type: keyword - description: This key captures values or decorators used within a registry entry -- name: dns.question.domain - type: keyword - ignore_above: 1024 - description: Server domain. -- name: network.interface.name - type: keyword -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset -- name: log.flags - description: Flags for the log file. - type: keyword -- name: log.source.address - description: Source address from which the log event was read / sent from. - type: keyword diff --git a/packages/tomcat/1.4.1/data_stream/log/manifest.yml b/packages/tomcat/1.4.1/data_stream/log/manifest.yml deleted file mode 100755 index 2ded244821..0000000000 --- a/packages/tomcat/1.4.1/data_stream/log/manifest.yml +++ /dev/null @@ -1,203 +0,0 @@ -title: Apache Tomcat logs -type: logs -streams: - - input: udp - title: Apache Tomcat logs - description: Collect Apache Tomcat logs - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - tomcat-log - - forwarded - - name: udp_host - type: text - title: UDP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: udp_port - type: integer - title: UDP port to listen on - multi: false - required: true - show_user: true - default: 9523 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - title: Apache Tomcat logs - description: Collect Apache Tomcat logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - tomcat-log - - forwarded - - name: tcp_host - type: text - title: TCP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: tcp_port - type: integer - title: TCP port to listen on - multi: false - required: true - show_user: true - default: 9523 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: logfile - enabled: false - title: Apache Tomcat logs - description: Collect Apache Tomcat logs from file - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/tomcat-log.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - tomcat-log - - forwarded - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/tomcat/1.4.1/data_stream/log/sample_event.json b/packages/tomcat/1.4.1/data_stream/log/sample_event.json deleted file mode 100755 index 638afcab0c..0000000000 --- a/packages/tomcat/1.4.1/data_stream/log/sample_event.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "@timestamp": "2016-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "528bd303-0b99-4387-b3b4-664e9d2c2c7d", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "tomcat.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "code": "asdf", - "dataset": "tomcat.log", - "ingested": "2022-01-25T13:09:06Z", - "timezone": "+00:00" - }, - "file": { - "name": "vol" - }, - "http": { - "request": { - "referrer": "https://mail.example.net/turadipi/aeca.htm?ntium=psaq#cer" - } - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.30.0.4:57544" - } - }, - "observer": { - "product": "TomCat", - "type": "Web", - "vendor": "Apache" - }, - "related": { - "hosts": [ - "example.com", - "https://example.com/illumqui/ventore.html?min=ite#utl", - "mail.example.net" - ], - "ip": [ - "10.251.224.219" - ], - "user": [ - "rci" - ] - }, - "rsa": { - "internal": { - "level": 1516, - "messageid": "asdf" - }, - "misc": { - "action": [ - "exercita" - ], - "result_code": "ntsunti" - }, - "network": { - "network_service": "oremi" - }, - "time": { - "event_time": "2016-01-29T06:09:59.000Z", - "timezone": "OMST" - }, - "web": { - "alias_host": "https://example.com/illumqui/ventore.html?min=ite#utl", - "fqdn": "https://example.com/illumqui/ventore.html?min=ite#utl", - "web_cookie": "aliqu\n", - "web_ref_domain": "mail.example.net" - } - }, - "source": { - "bytes": 5293, - "ip": [ - "10.251.224.219" - ] - }, - "tags": [ - "tomcat-log", - "forwarded" - ], - "url": { - "domain": "example.com", - "query": "amremap", - "registered_domain": "example.com", - "top_level_domain": "com" - }, - "user": { - "name": "rci" - }, - "user_agent": { - "device": { - "name": "G8142" - }, - "name": "Chrome Mobile", - "original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "os": { - "full": "Android 9", - "name": "Android", - "version": "9" - }, - "version": "83.0.4103.83" - } -} \ No newline at end of file diff --git a/packages/tomcat/1.4.1/docs/README.md b/packages/tomcat/1.4.1/docs/README.md deleted file mode 100755 index 13a5bf8236..0000000000 --- a/packages/tomcat/1.4.1/docs/README.md +++ /dev/null @@ -1,839 +0,0 @@ -# Tomcat integration - -This integration is for [Tomcat device's](https://tomcat.apache.org/tomcat-10.0-doc/logging.html) logs. It includes the following -datasets for receiving logs over syslog or read from a file: - -- `log` dataset: supports Apache Tomcat logs. - -### Log - -The `log` dataset collects Apache Tomcat logs. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| container.id | Unique container id. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.domain | Server domain. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.interface.name | | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | -| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | -| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | -| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | -| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | -| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | -| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | -| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | -| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | -| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | -| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | -| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | -| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | -| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | -| rsa.crypto.cert_checksum | | keyword | -| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | -| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | -| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | -| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | -| rsa.crypto.cert_issuer | | keyword | -| rsa.crypto.cert_keysize | | keyword | -| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | -| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | -| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | -| rsa.crypto.cert_username | | keyword | -| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | -| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | -| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | -| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | -| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | -| rsa.crypto.d_certauth | | keyword | -| rsa.crypto.https_insact | | keyword | -| rsa.crypto.https_valid | | keyword | -| rsa.crypto.ike | IKE negotiation phase. | keyword | -| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | -| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | -| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | -| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | -| rsa.crypto.s_certauth | | keyword | -| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | -| rsa.crypto.sig_type | This key captures the Signature Type | keyword | -| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | -| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | -| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | -| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | -| rsa.db.db_pid | This key captures the process id of a connection with database server | long | -| rsa.db.index | This key captures IndexID of the index. | keyword | -| rsa.db.instance | This key is used to capture the database server instance name | keyword | -| rsa.db.lread | This key is used for the number of logical reads | long | -| rsa.db.lwrite | This key is used for the number of logical writes | long | -| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | -| rsa.db.pread | This key is used for the number of physical writes | long | -| rsa.db.table_name | This key is used to capture the table name | keyword | -| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | -| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | -| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | -| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | -| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | -| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | -| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | -| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | -| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | -| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | -| rsa.file.attachment | This key captures the attachment file name | keyword | -| rsa.file.binary | Deprecated key defined only in table map. | keyword | -| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | -| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | -| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | -| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | -| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | -| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | -| rsa.file.filename_tmp | | keyword | -| rsa.file.filesystem | | keyword | -| rsa.file.privilege | Deprecated, use permissions | keyword | -| rsa.file.task_name | This is used to capture name of the task | keyword | -| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | -| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | -| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | -| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | -| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | -| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | -| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | -| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | -| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | -| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | -| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | -| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | -| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | -| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | -| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.org | This key captures the User organization | keyword | -| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | -| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | -| rsa.identity.profile | This key is used to capture the user profile | keyword | -| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | -| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | -| rsa.identity.user_dept | User's Department Names only | keyword | -| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | -| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | -| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | -| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.data | Deprecated key defined only in table map. | keyword | -| rsa.internal.dead | Deprecated key defined only in table map. | long | -| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | -| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entry | Deprecated key defined only in table map. | keyword | -| rsa.internal.event_desc | | keyword | -| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | -| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | -| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.inode | Deprecated key defined only in table map. | long | -| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | -| rsa.internal.level | Deprecated key defined only in table map. | long | -| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | -| rsa.internal.message | This key captures the contents of instant messages | keyword | -| rsa.internal.messageid | | keyword | -| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | -| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | -| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | -| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | -| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | -| rsa.internal.resource | Deprecated key defined only in table map. | keyword | -| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.site | Deprecated key defined only in table map. | keyword | -| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.statement | Deprecated key defined only in table map. | keyword | -| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | -| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | -| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | -| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | -| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | -| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | -| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | -| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | -| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | -| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | -| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | -| rsa.investigations.event_cat | This key captures the Event category number | long | -| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | -| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | -| rsa.investigations.inv_category | This used to capture investigation category | keyword | -| rsa.investigations.inv_context | This used to capture investigation context | keyword | -| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | -| rsa.misc.OS | This key captures the Name of the Operating System | keyword | -| rsa.misc.acl_id | | keyword | -| rsa.misc.acl_op | | keyword | -| rsa.misc.acl_pos | | keyword | -| rsa.misc.acl_table | | keyword | -| rsa.misc.action | | keyword | -| rsa.misc.admin | | keyword | -| rsa.misc.agent_id | This key is used to capture agent id | keyword | -| rsa.misc.alarm_id | | keyword | -| rsa.misc.alarmname | | keyword | -| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.app_id | | keyword | -| rsa.misc.audit | | keyword | -| rsa.misc.audit_object | | keyword | -| rsa.misc.auditdata | | keyword | -| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | -| rsa.misc.benchmark | | keyword | -| rsa.misc.bypass | | keyword | -| rsa.misc.cache | | keyword | -| rsa.misc.cache_hit | | keyword | -| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | -| rsa.misc.cc_number | Valid Credit Card Numbers only | long | -| rsa.misc.cefversion | | keyword | -| rsa.misc.cfg_attr | | keyword | -| rsa.misc.cfg_obj | | keyword | -| rsa.misc.cfg_path | | keyword | -| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | -| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | -| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | -| rsa.misc.changes | | keyword | -| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | -| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | -| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | -| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | -| rsa.misc.client_ip | | keyword | -| rsa.misc.clustermembers | | keyword | -| rsa.misc.cmd | | keyword | -| rsa.misc.cn_acttimeout | | keyword | -| rsa.misc.cn_asn_src | | keyword | -| rsa.misc.cn_bgpv4nxthop | | keyword | -| rsa.misc.cn_ctr_dst_code | | keyword | -| rsa.misc.cn_dst_tos | | keyword | -| rsa.misc.cn_dst_vlan | | keyword | -| rsa.misc.cn_engine_id | | keyword | -| rsa.misc.cn_engine_type | | keyword | -| rsa.misc.cn_f_switch | | keyword | -| rsa.misc.cn_flowsampid | | keyword | -| rsa.misc.cn_flowsampintv | | keyword | -| rsa.misc.cn_flowsampmode | | keyword | -| rsa.misc.cn_inacttimeout | | keyword | -| rsa.misc.cn_inpermbyts | | keyword | -| rsa.misc.cn_inpermpckts | | keyword | -| rsa.misc.cn_invalid | | keyword | -| rsa.misc.cn_ip_proto_ver | | keyword | -| rsa.misc.cn_ipv4_ident | | keyword | -| rsa.misc.cn_l_switch | | keyword | -| rsa.misc.cn_log_did | | keyword | -| rsa.misc.cn_log_rid | | keyword | -| rsa.misc.cn_max_ttl | | keyword | -| rsa.misc.cn_maxpcktlen | | keyword | -| rsa.misc.cn_min_ttl | | keyword | -| rsa.misc.cn_minpcktlen | | keyword | -| rsa.misc.cn_mpls_lbl_1 | | keyword | -| rsa.misc.cn_mpls_lbl_10 | | keyword | -| rsa.misc.cn_mpls_lbl_2 | | keyword | -| rsa.misc.cn_mpls_lbl_3 | | keyword | -| rsa.misc.cn_mpls_lbl_4 | | keyword | -| rsa.misc.cn_mpls_lbl_5 | | keyword | -| rsa.misc.cn_mpls_lbl_6 | | keyword | -| rsa.misc.cn_mpls_lbl_7 | | keyword | -| rsa.misc.cn_mpls_lbl_8 | | keyword | -| rsa.misc.cn_mpls_lbl_9 | | keyword | -| rsa.misc.cn_mplstoplabel | | keyword | -| rsa.misc.cn_mplstoplabip | | keyword | -| rsa.misc.cn_mul_dst_byt | | keyword | -| rsa.misc.cn_mul_dst_pks | | keyword | -| rsa.misc.cn_muligmptype | | keyword | -| rsa.misc.cn_sampalgo | | keyword | -| rsa.misc.cn_sampint | | keyword | -| rsa.misc.cn_seqctr | | keyword | -| rsa.misc.cn_spackets | | keyword | -| rsa.misc.cn_src_tos | | keyword | -| rsa.misc.cn_src_vlan | | keyword | -| rsa.misc.cn_sysuptime | | keyword | -| rsa.misc.cn_template_id | | keyword | -| rsa.misc.cn_totbytsexp | | keyword | -| rsa.misc.cn_totflowexp | | keyword | -| rsa.misc.cn_totpcktsexp | | keyword | -| rsa.misc.cn_unixnanosecs | | keyword | -| rsa.misc.cn_v6flowlabel | | keyword | -| rsa.misc.cn_v6optheaders | | keyword | -| rsa.misc.code | | keyword | -| rsa.misc.command | | keyword | -| rsa.misc.comments | Comment information provided in the log message | keyword | -| rsa.misc.comp_class | | keyword | -| rsa.misc.comp_name | | keyword | -| rsa.misc.comp_rbytes | | keyword | -| rsa.misc.comp_sbytes | | keyword | -| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | -| rsa.misc.connection_id | This key captures the Connection ID | keyword | -| rsa.misc.content | This key captures the content type from protocol headers | keyword | -| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | -| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | -| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | -| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | -| rsa.misc.context_target | | keyword | -| rsa.misc.count | | keyword | -| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | -| rsa.misc.cpu_data | | keyword | -| rsa.misc.criticality | | keyword | -| rsa.misc.cs_agency_dst | | keyword | -| rsa.misc.cs_analyzedby | | keyword | -| rsa.misc.cs_av_other | | keyword | -| rsa.misc.cs_av_primary | | keyword | -| rsa.misc.cs_av_secondary | | keyword | -| rsa.misc.cs_bgpv6nxthop | | keyword | -| rsa.misc.cs_bit9status | | keyword | -| rsa.misc.cs_context | | keyword | -| rsa.misc.cs_control | | keyword | -| rsa.misc.cs_data | | keyword | -| rsa.misc.cs_datecret | | keyword | -| rsa.misc.cs_dst_tld | | keyword | -| rsa.misc.cs_eth_dst_ven | | keyword | -| rsa.misc.cs_eth_src_ven | | keyword | -| rsa.misc.cs_event_uuid | | keyword | -| rsa.misc.cs_filetype | | keyword | -| rsa.misc.cs_fld | | keyword | -| rsa.misc.cs_if_desc | | keyword | -| rsa.misc.cs_if_name | | keyword | -| rsa.misc.cs_ip_next_hop | | keyword | -| rsa.misc.cs_ipv4dstpre | | keyword | -| rsa.misc.cs_ipv4srcpre | | keyword | -| rsa.misc.cs_lifetime | | keyword | -| rsa.misc.cs_log_medium | | keyword | -| rsa.misc.cs_loginname | | keyword | -| rsa.misc.cs_modulescore | | keyword | -| rsa.misc.cs_modulesign | | keyword | -| rsa.misc.cs_opswatresult | | keyword | -| rsa.misc.cs_payload | | keyword | -| rsa.misc.cs_registrant | | keyword | -| rsa.misc.cs_registrar | | keyword | -| rsa.misc.cs_represult | | keyword | -| rsa.misc.cs_rpayload | | keyword | -| rsa.misc.cs_sampler_name | | keyword | -| rsa.misc.cs_sourcemodule | | keyword | -| rsa.misc.cs_streams | | keyword | -| rsa.misc.cs_targetmodule | | keyword | -| rsa.misc.cs_v6nxthop | | keyword | -| rsa.misc.cs_whois_server | | keyword | -| rsa.misc.cs_yararesult | | keyword | -| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | -| rsa.misc.data_type | | keyword | -| rsa.misc.description | | keyword | -| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | -| rsa.misc.devvendor | | keyword | -| rsa.misc.disposition | This key captures the The end state of an action. | keyword | -| rsa.misc.distance | | keyword | -| rsa.misc.doc_number | This key captures File Identification number | long | -| rsa.misc.dstburb | | keyword | -| rsa.misc.edomain | | keyword | -| rsa.misc.edomaub | | keyword | -| rsa.misc.ein_number | Employee Identification Numbers only | long | -| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | -| rsa.misc.euid | | keyword | -| rsa.misc.event_category | | keyword | -| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | -| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | -| rsa.misc.event_id | | keyword | -| rsa.misc.event_log | This key captures the Name of the event log | keyword | -| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | -| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | -| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | -| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | -| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | -| rsa.misc.facility | | keyword | -| rsa.misc.facilityname | | keyword | -| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | -| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | -| rsa.misc.finterface | | keyword | -| rsa.misc.flags | | keyword | -| rsa.misc.forensic_info | | keyword | -| rsa.misc.found | This is used to capture the results of regex match | keyword | -| rsa.misc.fresult | This key captures the Filter Result | long | -| rsa.misc.gaddr | | keyword | -| rsa.misc.group | This key captures the Group Name value | keyword | -| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | -| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | -| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | -| rsa.misc.id3 | | keyword | -| rsa.misc.im_buddyid | | keyword | -| rsa.misc.im_buddyname | | keyword | -| rsa.misc.im_client | | keyword | -| rsa.misc.im_croomid | | keyword | -| rsa.misc.im_croomtype | | keyword | -| rsa.misc.im_members | | keyword | -| rsa.misc.im_userid | | keyword | -| rsa.misc.im_username | | keyword | -| rsa.misc.index | | keyword | -| rsa.misc.inout | | keyword | -| rsa.misc.ipkt | | keyword | -| rsa.misc.ipscat | | keyword | -| rsa.misc.ipspri | | keyword | -| rsa.misc.job_num | This key captures the Job Number | keyword | -| rsa.misc.jobname | | keyword | -| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | -| rsa.misc.latitude | | keyword | -| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | -| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | -| rsa.misc.linenum | | keyword | -| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.misc.list_name | | keyword | -| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | -| rsa.misc.load_data | | keyword | -| rsa.misc.location_floor | | keyword | -| rsa.misc.location_mark | | keyword | -| rsa.misc.log_id | | keyword | -| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | -| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | -| rsa.misc.log_type | | keyword | -| rsa.misc.logid | | keyword | -| rsa.misc.logip | | keyword | -| rsa.misc.logname | | keyword | -| rsa.misc.longitude | | keyword | -| rsa.misc.lport | | keyword | -| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | -| rsa.misc.match | This key is for regex match name from search.ini | keyword | -| rsa.misc.mbug_data | | keyword | -| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | -| rsa.misc.misc | | keyword | -| rsa.misc.misc_name | | keyword | -| rsa.misc.mode | | keyword | -| rsa.misc.msgIdPart1 | | keyword | -| rsa.misc.msgIdPart2 | | keyword | -| rsa.misc.msgIdPart3 | | keyword | -| rsa.misc.msgIdPart4 | | keyword | -| rsa.misc.msg_type | | keyword | -| rsa.misc.msgid | | keyword | -| rsa.misc.name | | keyword | -| rsa.misc.netsessid | | keyword | -| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | -| rsa.misc.ntype | | keyword | -| rsa.misc.num | | keyword | -| rsa.misc.number | | keyword | -| rsa.misc.number1 | | keyword | -| rsa.misc.number2 | | keyword | -| rsa.misc.nwwn | | keyword | -| rsa.misc.obj_name | This is used to capture name of object | keyword | -| rsa.misc.obj_type | This is used to capture type of object | keyword | -| rsa.misc.object | | keyword | -| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | -| rsa.misc.operation | | keyword | -| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | -| rsa.misc.opkt | | keyword | -| rsa.misc.orig_from | | keyword | -| rsa.misc.owner_id | | keyword | -| rsa.misc.p_action | | keyword | -| rsa.misc.p_filter | | keyword | -| rsa.misc.p_group_object | | keyword | -| rsa.misc.p_id | | keyword | -| rsa.misc.p_msgid | | keyword | -| rsa.misc.p_msgid1 | | keyword | -| rsa.misc.p_msgid2 | | keyword | -| rsa.misc.p_result1 | | keyword | -| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | -| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | -| rsa.misc.param_src | This key captures source parameter | keyword | -| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | -| rsa.misc.password_chg | | keyword | -| rsa.misc.password_expire | | keyword | -| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | -| rsa.misc.payload_src | This key is used to capture source payload | keyword | -| rsa.misc.permgranted | | keyword | -| rsa.misc.permwanted | | keyword | -| rsa.misc.pgid | | keyword | -| rsa.misc.phone | | keyword | -| rsa.misc.pid | | keyword | -| rsa.misc.policy | | keyword | -| rsa.misc.policyUUID | | keyword | -| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | -| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | -| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | -| rsa.misc.policy_waiver | | keyword | -| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | -| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | -| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | -| rsa.misc.priority | | keyword | -| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | -| rsa.misc.prog_asp_num | | keyword | -| rsa.misc.program | | keyword | -| rsa.misc.real_data | | keyword | -| rsa.misc.reason | | keyword | -| rsa.misc.rec_asp_device | | keyword | -| rsa.misc.rec_asp_num | | keyword | -| rsa.misc.rec_library | | keyword | -| rsa.misc.recordnum | | keyword | -| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | -| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | -| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | -| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | -| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | -| rsa.misc.risk | This key captures the non-numeric risk value | keyword | -| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_num | This key captures a Numeric Risk value | double | -| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | -| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | -| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | -| rsa.misc.risk_num_static | This key captures Risk Number Static | double | -| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.ruid | | keyword | -| rsa.misc.rule | This key captures the Rule number | keyword | -| rsa.misc.rule_group | This key captures the Rule group name | keyword | -| rsa.misc.rule_name | This key captures the Rule Name | keyword | -| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | -| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | -| rsa.misc.sburb | | keyword | -| rsa.misc.sdomain_fld | | keyword | -| rsa.misc.search_text | This key captures the Search Text used | keyword | -| rsa.misc.sec | | keyword | -| rsa.misc.second | | keyword | -| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | -| rsa.misc.sensorname | | keyword | -| rsa.misc.seqnum | | keyword | -| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | -| rsa.misc.session | | keyword | -| rsa.misc.sessiontype | | keyword | -| rsa.misc.severity | This key is used to capture the severity given the session | keyword | -| rsa.misc.sigUUID | | keyword | -| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | -| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | -| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | -| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | -| rsa.misc.sigcat | | keyword | -| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | -| rsa.misc.snmp_value | SNMP set request value | keyword | -| rsa.misc.space | | keyword | -| rsa.misc.space1 | | keyword | -| rsa.misc.spi | | keyword | -| rsa.misc.spi_dst | Destination SPI Index | keyword | -| rsa.misc.spi_src | Source SPI Index | keyword | -| rsa.misc.sql | This key captures the SQL query | keyword | -| rsa.misc.srcburb | | keyword | -| rsa.misc.srcdom | | keyword | -| rsa.misc.srcservice | | keyword | -| rsa.misc.state | | keyword | -| rsa.misc.status | | keyword | -| rsa.misc.status1 | | keyword | -| rsa.misc.streams | This key captures number of streams in session | long | -| rsa.misc.subcategory | | keyword | -| rsa.misc.svcno | | keyword | -| rsa.misc.system | | keyword | -| rsa.misc.tbdstr1 | | keyword | -| rsa.misc.tbdstr2 | | keyword | -| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | -| rsa.misc.terminal | This key captures the Terminal Names only | keyword | -| rsa.misc.tgtdom | | keyword | -| rsa.misc.tgtdomain | | keyword | -| rsa.misc.threshold | | keyword | -| rsa.misc.tos | This key describes the type of service | long | -| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | -| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | -| rsa.misc.type | | keyword | -| rsa.misc.type1 | | keyword | -| rsa.misc.udb_class | | keyword | -| rsa.misc.url_fld | | keyword | -| rsa.misc.user_div | | keyword | -| rsa.misc.userid | | keyword | -| rsa.misc.username_fld | | keyword | -| rsa.misc.utcstamp | | keyword | -| rsa.misc.v_instafname | | keyword | -| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | -| rsa.misc.virt_data | | keyword | -| rsa.misc.virusname | This key captures the name of the virus | keyword | -| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | -| rsa.misc.vpnid | | keyword | -| rsa.misc.vsys | This key captures Virtual System Name | keyword | -| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | -| rsa.misc.workspace | This key captures Workspace Description | keyword | -| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | -| rsa.network.addr | | keyword | -| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | -| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | -| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | -| rsa.network.dns_a_record | | keyword | -| rsa.network.dns_cname_record | | keyword | -| rsa.network.dns_id | | keyword | -| rsa.network.dns_opcode | | keyword | -| rsa.network.dns_ptr_record | | keyword | -| rsa.network.dns_resp | | keyword | -| rsa.network.dns_type | | keyword | -| rsa.network.domain | | keyword | -| rsa.network.domain1 | | keyword | -| rsa.network.eth_host | Deprecated, use alias.mac | keyword | -| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | -| rsa.network.faddr | | keyword | -| rsa.network.fhost | | keyword | -| rsa.network.fport | | keyword | -| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | -| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | -| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | -| rsa.network.host_type | | keyword | -| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | -| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | -| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | -| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | -| rsa.network.laddr | | keyword | -| rsa.network.lhost | | keyword | -| rsa.network.linterface | | keyword | -| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | -| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | -| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | -| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | -| rsa.network.origin | | keyword | -| rsa.network.packet_length | | keyword | -| rsa.network.paddr | Deprecated | ip | -| rsa.network.phost | | keyword | -| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | -| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | -| rsa.network.remote_domain_id | | keyword | -| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | -| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | -| rsa.network.smask | This key is used for capturing source Network Mask | keyword | -| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | -| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | -| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | -| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | -| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | -| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | -| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | -| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | -| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | -| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | -| rsa.threat.alert | This key is used to capture name of the alert | keyword | -| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | -| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | -| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | -| rsa.time.date | | keyword | -| rsa.time.datetime | | keyword | -| rsa.time.day | | keyword | -| rsa.time.duration_str | A text string version of the duration | keyword | -| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | -| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | -| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | -| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | -| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | -| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | -| rsa.time.eventtime | | keyword | -| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | -| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | -| rsa.time.gmtdate | | keyword | -| rsa.time.gmttime | | keyword | -| rsa.time.hour | | keyword | -| rsa.time.min | | keyword | -| rsa.time.month | | keyword | -| rsa.time.p_date | | keyword | -| rsa.time.p_month | | keyword | -| rsa.time.p_time | | keyword | -| rsa.time.p_time1 | | keyword | -| rsa.time.p_time2 | | keyword | -| rsa.time.p_year | | keyword | -| rsa.time.process_time | Deprecated, use duration.time | keyword | -| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | -| rsa.time.stamp | Deprecated key defined only in table map. | date | -| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | -| rsa.time.timestamp | | keyword | -| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | -| rsa.time.tzone | | keyword | -| rsa.time.year | | keyword | -| rsa.web.alias_host | | keyword | -| rsa.web.cn_asn_dst | | keyword | -| rsa.web.cn_rpackets | | keyword | -| rsa.web.fqdn | Fully Qualified Domain Names | keyword | -| rsa.web.p_url | | keyword | -| rsa.web.p_user_agent | | keyword | -| rsa.web.p_web_cookie | | keyword | -| rsa.web.p_web_method | | keyword | -| rsa.web.p_web_referer | | keyword | -| rsa.web.remote_domain | | keyword | -| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | -| rsa.web.urlpage | | keyword | -| rsa.web.urlroot | | keyword | -| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | -| rsa.web.web_extension_tmp | | keyword | -| rsa.web.web_page | | keyword | -| rsa.web.web_ref_domain | Web referer's domain | keyword | -| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | -| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | -| rsa.web.web_ref_root | Web referer's root URL path | keyword | -| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | -| rsa.wireless.wlan_channel | This is used to capture the channel names | long | -| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | -| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - diff --git a/packages/tomcat/1.4.1/img/logo.svg b/packages/tomcat/1.4.1/img/logo.svg deleted file mode 100755 index 410a468872..0000000000 --- a/packages/tomcat/1.4.1/img/logo.svg +++ /dev/null @@ -1,107 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/packages/tomcat/1.4.1/manifest.yml b/packages/tomcat/1.4.1/manifest.yml deleted file mode 100755 index ad5f1bae1c..0000000000 --- a/packages/tomcat/1.4.1/manifest.yml +++ /dev/null @@ -1,32 +0,0 @@ -format_version: 1.0.0 -name: tomcat -title: Apache Tomcat -version: 1.4.1 -description: Collect and parse logs from Apache Tomcat servers with Elastic Agent. -categories: ["web", "security"] -release: ga -license: basic -type: integration -conditions: - kibana.version: "^7.14.1 || ^8.0.0" -policy_templates: - - name: log - title: Apache Tomcat - description: Collect Apache Tomcat logs from syslog or a file. - inputs: - - type: udp - title: Collect logs from Apache Tomcat via UDP - description: Collecting syslog from Apache Tomcat via UDP - - type: tcp - title: Collect logs from Apache Tomcat via TCP - description: Collecting syslog from Apache Tomcat via TCP - - type: logfile - title: Collect logs from Apache Tomcat via file - description: Collecting syslog from Apache Tomcat via file. -icons: - - src: /img/logo.svg - title: Apache Tomcat logo - size: 32x32 - type: image/svg+xml -owner: - github: elastic/security-external-integrations diff --git a/packages/udp/1.1.1/changelog.yml b/packages/udp/1.1.1/changelog.yml deleted file mode 100755 index 5df3dafc32..0000000000 --- a/packages/udp/1.1.1/changelog.yml +++ /dev/null @@ -1,20 +0,0 @@ -- version: "1.1.1" - changes: - - description: Fixing typo in readme - type: bugfix - link: https://github.com/elastic/integrations/pull/3175 -- version: "1.1.0" - changes: - - description: Update ECS to 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2781 -- version: "1.0.1" - changes: - - description: Fixing typo in manifest for listen address - type: bugfix - link: https://github.com/elastic/integrations/pull/2671 -- version: "1.0.0" - changes: - - description: Initial Release - type: enhancement - link: https://github.com/elastic/integrations/pull/2170 diff --git a/packages/udp/1.1.1/data_stream/generic/agent/stream/udp.yml.hbs b/packages/udp/1.1.1/data_stream/generic/agent/stream/udp.yml.hbs deleted file mode 100755 index b7c55afa67..0000000000 --- a/packages/udp/1.1.1/data_stream/generic/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,31 +0,0 @@ -data_stream: - dataset: {{data_stream.dataset}} -host: {{listen_address}}:{{listen_port}} -{{#if pipeline}} -pipeline: {{pipeline}} -{{/if}} -{{#if max_message_size}} -max_message_size: {{max_message_size}} -{{/if}} -{{#if read_buffer_size}} -read_buffer: {{read_buffer_size}} -{{/if}} -{{#if timeout}} -timeout: {{timeout}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{/if}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/udp/1.1.1/data_stream/generic/fields/base-fields.yml b/packages/udp/1.1.1/data_stream/generic/fields/base-fields.yml deleted file mode 100755 index 12293deacd..0000000000 --- a/packages/udp/1.1.1/data_stream/generic/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: udp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: udp.generic -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/udp/1.1.1/data_stream/generic/fields/beats.yml b/packages/udp/1.1.1/data_stream/generic/fields/beats.yml deleted file mode 100755 index ede6958855..0000000000 --- a/packages/udp/1.1.1/data_stream/generic/fields/beats.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: tags - type: keyword - description: User defined tags diff --git a/packages/udp/1.1.1/data_stream/generic/fields/ecs.yml b/packages/udp/1.1.1/data_stream/generic/fields/ecs.yml deleted file mode 100755 index 072335f371..0000000000 --- a/packages/udp/1.1.1/data_stream/generic/fields/ecs.yml +++ /dev/null @@ -1,20 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: The IP or DNS name of the source sending the UDP packet. - name: log.source.address - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text diff --git a/packages/udp/1.1.1/data_stream/generic/manifest.yml b/packages/udp/1.1.1/data_stream/generic/manifest.yml deleted file mode 100755 index 2c917d3e08..0000000000 --- a/packages/udp/1.1.1/data_stream/generic/manifest.yml +++ /dev/null @@ -1,81 +0,0 @@ -title: Custom UDP Logs -type: logs -streams: - - input: udp - description: Collect raw UDP data from listening UDP port with Elastic Agent. - title: Custom UDP Logs - template_path: udp.yml.hbs - vars: - - name: listen_address - type: text - title: Listen Address - description: | - Bind address for the listener. Use 0.0.0.0 to listen on all interfaces. - required: true - show_user: true - default: localhost - - name: listen_port - type: text - title: Listen Port - description: | - Bind port for the listener. - required: true - show_user: true - default: 8080 - - name: data_stream.dataset - type: text - title: Dataset name - description: | - Dataset to write data to. Changing the dataset will send the data to a different index. You can't use `-` in the name of a dataset and only valid characters for [Elasticsearch index names](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-index_.html). - default: udp.generic - required: true - show_user: true - - name: pipeline - type: text - title: Ingest Pipeline - description: | - The Ingest Node pipeline ID to be used by the integration. - required: false - show_user: true - - name: max_message_size - type: text - title: Max Message Size - description: The maximum size of the message received over UDP. The default is 10KiB - required: false - show_user: false - default: 10KiB - - name: read_buffer_size - type: text - title: Read Buffer Size - description: | - The size of the read buffer on the UDP socket in the format KiB/MiB, an example would be: 10KiB - required: false - show_user: false - - name: timeout - type: text - title: Timeout - description: The read and write timeout for socket operations. - required: false - show_user: false - - name: keep_null - type: bool - title: Timeout - description: If this option is set to true, fields with null values will be published in the output document. By default, keep_null is set to false. - required: false - show_user: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: | - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - name: tags - type: text - title: Tags - description: Tags to include in the published event - required: false - multi: true - show_user: true diff --git a/packages/udp/1.1.1/data_stream/generic/sample_event.json b/packages/udp/1.1.1/data_stream/generic/sample_event.json deleted file mode 100755 index a3ea74519e..0000000000 --- a/packages/udp/1.1.1/data_stream/generic/sample_event.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "@timestamp": "2021-11-17T11:47:14.951Z", - "agent": { - "ephemeral_id": "cc044f45-f102-43fa-95fd-78f7e03c71a2", - "hostname": "docker-fleet-agent", - "id": "c979ad84-c568-4e38-81eb-76da479696a1", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.0" - }, - "data_stream": { - "dataset": "udp.generic", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "c979ad84-c568-4e38-81eb-76da479696a1", - "snapshot": true, - "version": "7.16.0" - }, - "event": { - "agent_id_status": "verified", - "dataset": "udp.generic", - "ingested": "2021-11-17T11:47:15Z" - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "id": "b7d928c66a441dff2fa2fb14971411df", - "ip": [ - "192.168.48.7" - ], - "mac": [ - "02:42:c0:a8:30:07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.10.60.1-microsoft-standard-WSL2", - "name": "CentOS Linux", - "platform": "centos", - "type": "linux", - "version": "7 (Core)" - } - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "192.168.48.4:51973" - } - }, - "message": "\u003c134\u003e1 2020-03-29T13:19:20Z testhostname testproductname 1930 - some longer testmessage. - a {2:2}.\n" -} \ No newline at end of file diff --git a/packages/udp/1.1.1/docs/README.md b/packages/udp/1.1.1/docs/README.md deleted file mode 100755 index b88047c2d3..0000000000 --- a/packages/udp/1.1.1/docs/README.md +++ /dev/null @@ -1,4 +0,0 @@ -# Custom UDP Log integration - -The custom UDP Log package intializes a listening UDP socket that collects any UDP traffic received and sends each line as a document to Elasticsearch. -Custom ingest pipelines may be added by adding the name to the pipeline configuration option, creating custom ingest pipelines can be done either through the API or the [Ingest Node Pipeline UI](/app/management/ingest/ingest_pipelines/). diff --git a/packages/udp/1.1.1/img/icon.svg b/packages/udp/1.1.1/img/icon.svg deleted file mode 100755 index 173fdec507..0000000000 --- a/packages/udp/1.1.1/img/icon.svg +++ /dev/null @@ -1,4 +0,0 @@ - - - - \ No newline at end of file diff --git a/packages/udp/1.1.1/manifest.yml b/packages/udp/1.1.1/manifest.yml deleted file mode 100755 index 4fe38e8c84..0000000000 --- a/packages/udp/1.1.1/manifest.yml +++ /dev/null @@ -1,26 +0,0 @@ -format_version: 1.0.0 -name: udp -title: Custom UDP Logs -description: Collect raw UDP data from listening UDP port with Elastic Agent. -type: integration -version: 1.1.1 -release: ga -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -license: basic -categories: - - custom -policy_templates: - - name: udp - title: Custom UDP Logs - description: Collect raw UDP data from listening UDP port with Elastic Agent. - inputs: - - type: udp - title: Custom UDP Logs - description: Collect raw UDP data from listening UDP port with Elastic Agent. - multi: true -icons: - - src: "/img/icon.svg" - type: "image/svg+xml" -owner: - github: elastic/security-external-integrations diff --git a/packages/winlog/1.5.1/changelog.yml b/packages/winlog/1.5.1/changelog.yml deleted file mode 100755 index 3ceb0a3ec5..0000000000 --- a/packages/winlog/1.5.1/changelog.yml +++ /dev/null @@ -1,97 +0,0 @@ -# newer versions go on top -- version: "1.5.1" - changes: - - description: update readme added link to Microsoft documentation and reworded a link - type: enhancement - link: https://github.com/elastic/integrations/pull/3177 -- version: "1.5.0" - changes: - - description: Update to ECS 8.2 (documentation reference only) - type: enhancement - link: https://github.com/elastic/integrations/pull/2781 -- version: "1.4.0" - changes: - - description: Expose winlog input ignore_older option. - type: enhancement - link: https://github.com/elastic/integrations/pull/2542 - - description: Fix preserve original event option - type: bugfix - link: https://github.com/elastic/integrations/pull/2542 - - description: Make order of options consistent with other winlog based integrations. - type: enhancement - link: https://github.com/elastic/integrations/pull/2542 -- version: "1.3.0" - changes: - - description: Expose winlog input language option. - type: enhancement - link: https://github.com/elastic/integrations/pull/2344 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2268 -- version: "1.1.2" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2079 -- version: "1.1.1" - changes: - - description: Update Splunk input description - type: enhancement - link: https://github.com/elastic/integrations/pull/2067 -- version: "1.1.0" - changes: - - description: Consistently map message field in Windows integrations. - type: bugfix - link: https://github.com/elastic/integrations/pull/2008 -- version: "1.0.3" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1991 -- version: "1.0.2" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1860 -- version: "1.0.1" - changes: - - description: Fix drop_event processor example by using event ID string values in conditions. - type: bugfix - link: https://github.com/elastic/integrations/pull/1755 -- version: "1.0.0" - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1716 -- version: "0.4.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.3.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1277 -- version: "0.2.2" - changes: - - description: Add support for Splunk authorization tokens - type: enhancement - link: https://github.com/elastic/integrations/pull/1147 -- version: "0.2.1" - changes: - - description: Change Splunk input to use the decode_xml_wineventlog processor. - type: enhancement - link: https://github.com/elastic/integrations/pull/922 -- version: "0.2.0" - changes: - - description: Add Splunk httpjson input - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/884 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/794 diff --git a/packages/winlog/1.5.1/data_stream/winlog/agent/stream/httpjson.yml.hbs b/packages/winlog/1.5.1/data_stream/winlog/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 4d575f3f66..0000000000 --- a/packages/winlog/1.5.1/data_stream/winlog/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,103 +0,0 @@ -data_stream: - dataset: {{data_stream.dataset}} -config_version: "2" -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: |- - {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: - - decode_json_fields: - fields: message - target: json - add_error_key: true - - drop_event: - when: - not: - has_fields: ['json.result'] - - fingerprint: - fields: - - json.result._cd - - json.result._indextime - - json.result._raw - - json.result._time - - json.result.host - - json.result.source - target_field: "@metadata._id" - - drop_fields: - fields: message - - rename: - fields: - - from: json.result._raw - to: event.original - - from: json.result.host - to: host.name - - from: json.result.source - to: event.provider - ignore_missing: true - fail_on_error: false - - drop_fields: - fields: json - - decode_xml_wineventlog: - field: event.original - target_field: winlog - ignore_missing: true - ignore_failure: true - map_ecs_fields: true - - timestamp: - field: winlog.time_created - layouts: - - '2006-01-02T15:04:05Z' - - '2006-01-02T15:04:05.999Z' - - '2006-01-02T15:04:05.999-07:00' - test: - - '2019-06-22T16:33:51Z' - - '2019-11-18T04:59:51.123Z' - - '2020-08-03T07:10:20.123456+02:00' diff --git a/packages/winlog/1.5.1/data_stream/winlog/agent/stream/winlog.yml.hbs b/packages/winlog/1.5.1/data_stream/winlog/agent/stream/winlog.yml.hbs deleted file mode 100755 index 0284cea2d0..0000000000 --- a/packages/winlog/1.5.1/data_stream/winlog/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,23 +0,0 @@ -condition: ${host.platform} == 'windows' -data_stream: - dataset: {{data_stream.dataset}} -name: {{channel}} -{{#if preserve_original_event}} -include_xml: true -{{/if}} -{{#if event_id}} -event_id: {{event_id}} -{{/if}} -{{#if ignore_older}} -ignore_older: {{ignore_older}} -{{/if}} -{{#if language}} -language: {{language}} -{{/if}} -{{#if tags.length}} -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{/if}} -{{custom}} \ No newline at end of file diff --git a/packages/winlog/1.5.1/data_stream/winlog/fields/base-fields.yml b/packages/winlog/1.5.1/data_stream/winlog/fields/base-fields.yml deleted file mode 100755 index bd3bf4d2e9..0000000000 --- a/packages/winlog/1.5.1/data_stream/winlog/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: winlog -- name: event.dataset - type: constant_keyword - description: Event dataset - value: winlog.winlog -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/winlog/1.5.1/data_stream/winlog/fields/beats.yml b/packages/winlog/1.5.1/data_stream/winlog/fields/beats.yml deleted file mode 100755 index ede6958855..0000000000 --- a/packages/winlog/1.5.1/data_stream/winlog/fields/beats.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: tags - type: keyword - description: User defined tags diff --git a/packages/winlog/1.5.1/data_stream/winlog/fields/ecs.yml b/packages/winlog/1.5.1/data_stream/winlog/fields/ecs.yml deleted file mode 100755 index c20d15582b..0000000000 --- a/packages/winlog/1.5.1/data_stream/winlog/fields/ecs.yml +++ /dev/null @@ -1,17 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text diff --git a/packages/winlog/1.5.1/data_stream/winlog/fields/winlog.yml b/packages/winlog/1.5.1/data_stream/winlog/fields/winlog.yml deleted file mode 100755 index cd357afbe9..0000000000 --- a/packages/winlog/1.5.1/data_stream/winlog/fields/winlog.yml +++ /dev/null @@ -1,612 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: computerObject - type: group - description: > - computer Object data - - fields: - - name: domain - type: keyword - - name: id - type: keyword - - name: name - type: keyword - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AccessGranted - type: keyword - - name: AccessRemoved - type: keyword - - name: AccountDomain - type: keyword - - name: AccountExpires - type: keyword - - name: AccountName - type: keyword - - name: AllowedToDelegateTo - type: keyword - - name: AuditPolicyChanges - type: keyword - - name: AuditPolicyChangesDescription - type: keyword - - name: AuditSourceName - type: keyword - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: CallerProcessId - type: keyword - - name: CallerProcessName - type: keyword - - name: Category - type: keyword - - name: CategoryId - type: keyword - - name: ClientAddress - type: keyword - - name: ClientName - type: keyword - - name: CommandLine - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CrashOnAuditFailValue - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DisplayName - type: keyword - - name: DomainBehaviorVersion - type: keyword - - name: DomainName - type: keyword - - name: DomainPolicyChanged - type: keyword - - name: DomainSid - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: Dummy - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: EventSourceId - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FailureReason - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: GroupTypeChange - type: keyword - - name: HandleId - type: keyword - - name: HomeDirectory - type: keyword - - name: HomePath - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KerberosPolicyChange - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonHours - type: keyword - - name: LogonId - type: keyword - - name: LogonID - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MachineAccountQuota - type: keyword - - name: MajorVersion - type: keyword - - name: MandatoryLabel - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: MixedDomainMode - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewSd - type: keyword - - name: NewSdDacl0 - type: keyword - - name: NewSdDacl1 - type: keyword - - name: NewSdDacl2 - type: keyword - - name: NewSdSacl0 - type: keyword - - name: NewSdSacl1 - type: keyword - - name: NewSdSacl2 - type: keyword - - name: NewTargetUserName - type: keyword - - name: NewTime - type: keyword - - name: NewUACList - type: keyword - - name: NewUacValue - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: ObjectName - type: keyword - - name: ObjectServer - type: keyword - - name: ObjectType - type: keyword - - name: OemInformation - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldSd - type: keyword - - name: OldSdDacl0 - type: keyword - - name: OldSdDacl1 - type: keyword - - name: OldSdDacl2 - type: keyword - - name: OldSdSacl0 - type: keyword - - name: OldSdSacl1 - type: keyword - - name: OldSdSacl2 - type: keyword - - name: OldTargetUserName - type: keyword - - name: OldTime - type: keyword - - name: OldUacValue - type: keyword - - name: OriginalFileName - type: keyword - - name: PackageName - type: keyword - - name: PasswordLastSet - type: keyword - - name: PasswordHistoryLength - type: keyword - - name: Path - type: keyword - - name: ParentProcessName - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreAuthType - type: keyword - - name: PreviousTime - type: keyword - - name: PrimaryGroupId - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: ProfilePath - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SamAccountName - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptPath - type: keyword - - name: SidHistory - type: keyword - - name: ScriptBlockText - type: keyword - - name: Service - type: keyword - - name: ServiceAccount - type: keyword - - name: ServiceFileName - type: keyword - - name: ServiceName - type: keyword - - name: ServiceSid - type: keyword - - name: ServiceStartType - type: keyword - - name: ServiceType - type: keyword - - name: ServiceVersion - type: keyword - - name: SessionName - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: SidFilteringEnabled - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StatusDescription - type: keyword - - name: StopTime - type: keyword - - name: SubCategory - type: keyword - - name: SubCategoryGuid - type: keyword - - name: SubcategoryGuid - type: keyword - - name: SubCategoryId - type: keyword - - name: SubcategoryId - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: SubStatus - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetSid - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TdoAttributes - type: keyword - - name: TdoDirection - type: keyword - - name: TdoType - type: keyword - - name: TerminalSessionId - type: keyword - - name: TicketEncryptionType - type: keyword - - name: TicketEncryptionTypeDescription - type: keyword - - name: TicketOptions - type: keyword - - name: TicketOptionsDescription - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserAccountControl - type: keyword - - name: UserParameters - type: keyword - - name: UserPrincipalName - type: keyword - - name: UserSid - type: keyword - - name: UserWorkstations - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: WorkstationName - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: level - type: keyword - required: false - description: > - The event severity. Levels are Critical, Error, Warning and Information, Verbose - - - name: outcome - type: keyword - required: false - description: > - Success or Failure of the event. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: time_created - type: keyword - required: false - description: > - Time event was created - - - name: trustAttribute - type: keyword - required: false - - name: trustDirection - type: keyword - required: false - - name: trustType - type: keyword - required: false - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user_data - type: group - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - fields: - - name: BackupPath - type: keyword - - name: Channel - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: xml_name - type: keyword - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. - - If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/winlog/1.5.1/data_stream/winlog/manifest.yml b/packages/winlog/1.5.1/data_stream/winlog/manifest.yml deleted file mode 100755 index 6b9b4669d7..0000000000 --- a/packages/winlog/1.5.1/data_stream/winlog/manifest.yml +++ /dev/null @@ -1,109 +0,0 @@ -title: Custom Windows Event Log Dataset -type: logs -streams: - - input: winlog - description: Collect Windows event logs from a custom channel - title: Windows Event Logs - template_path: winlog.yml.hbs - vars: - - name: channel - type: text - title: Channel Name - description: >- - Name of Windows event log channel (eg. Microsoft-Windows-PowerShell/Operational) - required: true - show_user: true - - name: data_stream.dataset - type: text - title: Dataset name - description: >- - Dataset to write data to. Changing the dataset will send the data to a different index. You can't use `-` in the name of a dataset and only valid characters for [Elasticsearch index names](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-index_.html). - default: winlog.winlog - required: true - show_user: true - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: >- - Preserves a raw copy of the original XML event, added to the field `event.original` - type: bool - multi: false - default: false - - name: event_id - type: text - title: Event ID - description: >- - A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 IDs. - required: false - show_user: false - - name: ignore_older - type: text - title: Ignore events older than - default: 72h - required: false - show_user: false - description: >- - If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - - name: language - type: text - title: Language ID - description: >- - The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found [here](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c). It defaults to `0`, which indicates to use the system language. E.g.: `0x0409` for `en-US` - required: false - show_user: false - default: 0 - - name: tags - type: text - title: Tags - description: Tags to include in the published event - required: false - multi: true - show_user: false - - name: custom - type: yaml - title: Custom Configurations - description: >- - YAML configuration options for winlog input. Be careful, this may break the integration. - required: false - show_user: false - default: |- - # Winlog configuration example - #processors: - # - drop_event.when.not.or: - # - equals.winlog.event_id: '903' - # - equals.winlog.event_id: '1024' - - input: httpjson - title: Windows ForwardedEvents via Splunk Enterprise REST API - description: Collect ForwardedEvents via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"XmlWinEventLog:ChannelName\"" - - name: data_stream.dataset - type: text - title: Dataset name - description: >- - Dataset to write data to. Changing the dataset will send the data to a different index. You can't use `-` in the name of a dataset and only valid characters for [Elasticsearch index names](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-index_.html). - default: winlog.winlog - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded diff --git a/packages/winlog/1.5.1/docs/README.md b/packages/winlog/1.5.1/docs/README.md deleted file mode 100755 index 3279e226a2..0000000000 --- a/packages/winlog/1.5.1/docs/README.md +++ /dev/null @@ -1,283 +0,0 @@ -# Custom Windows event log package - -The custom Windows event log package allows you to ingest events from -any [Windows event log](https://docs.microsoft.com/en-us/windows/win32/wes/windows-event-log) channel. You can get a list of available event -log channels by running `Get-EventLog *` in PowerShell. Custom ingest -pipelines may be added by setting one up in -[Ingest Node Pipelines](/app/management/ingest/ingest_pipelines/). - -## Configuration - -### Ingesting Windows Events via Splunk - -This integration offers the ability to seamlessly ingest data from a Splunk Enterprise instance. -These integrations work by using the [httpjson input](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html) in Elastic Agent to run a Splunk search via the Splunk REST API and then extract the raw event from the results. -The raw event is then processed via the Elastic Agent. -The Splunk search is customizable and the interval between searches is customizable. -See the [Splunk API integration documentation](https://www.elastic.co/guide/en/observability/current/ingest-splunk.html) for more information. - -This integration requires Windows Events from Splunk to be in XML format. -To achieve this, `renderXml` needs to be set to `1` in your [inputs.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf) file. - -## Logs - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| input.type | Type of Filebeat input. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| tags | User defined tags | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computerObject.domain | | keyword | -| winlog.computerObject.id | | keyword | -| winlog.computerObject.name | | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AccessGranted | | keyword | -| winlog.event_data.AccessRemoved | | keyword | -| winlog.event_data.AccountDomain | | keyword | -| winlog.event_data.AccountExpires | | keyword | -| winlog.event_data.AccountName | | keyword | -| winlog.event_data.AllowedToDelegateTo | | keyword | -| winlog.event_data.AuditPolicyChanges | | keyword | -| winlog.event_data.AuditPolicyChangesDescription | | keyword | -| winlog.event_data.AuditSourceName | | keyword | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.CallerProcessId | | keyword | -| winlog.event_data.CallerProcessName | | keyword | -| winlog.event_data.Category | | keyword | -| winlog.event_data.CategoryId | | keyword | -| winlog.event_data.ClientAddress | | keyword | -| winlog.event_data.ClientName | | keyword | -| winlog.event_data.CommandLine | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CrashOnAuditFailValue | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DisplayName | | keyword | -| winlog.event_data.DomainBehaviorVersion | | keyword | -| winlog.event_data.DomainName | | keyword | -| winlog.event_data.DomainPolicyChanged | | keyword | -| winlog.event_data.DomainSid | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.Dummy | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.EventSourceId | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FailureReason | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.GroupTypeChange | | keyword | -| winlog.event_data.HandleId | | keyword | -| winlog.event_data.HomeDirectory | | keyword | -| winlog.event_data.HomePath | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KerberosPolicyChange | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonHours | | keyword | -| winlog.event_data.LogonID | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MachineAccountQuota | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MandatoryLabel | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.MixedDomainMode | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewSd | | keyword | -| winlog.event_data.NewSdDacl0 | | keyword | -| winlog.event_data.NewSdDacl1 | | keyword | -| winlog.event_data.NewSdDacl2 | | keyword | -| winlog.event_data.NewSdSacl0 | | keyword | -| winlog.event_data.NewSdSacl1 | | keyword | -| winlog.event_data.NewSdSacl2 | | keyword | -| winlog.event_data.NewTargetUserName | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NewUACList | | keyword | -| winlog.event_data.NewUacValue | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.ObjectName | | keyword | -| winlog.event_data.ObjectServer | | keyword | -| winlog.event_data.ObjectType | | keyword | -| winlog.event_data.OemInformation | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldSd | | keyword | -| winlog.event_data.OldSdDacl0 | | keyword | -| winlog.event_data.OldSdDacl1 | | keyword | -| winlog.event_data.OldSdDacl2 | | keyword | -| winlog.event_data.OldSdSacl0 | | keyword | -| winlog.event_data.OldSdSacl1 | | keyword | -| winlog.event_data.OldSdSacl2 | | keyword | -| winlog.event_data.OldTargetUserName | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OldUacValue | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.PackageName | | keyword | -| winlog.event_data.ParentProcessName | | keyword | -| winlog.event_data.PasswordHistoryLength | | keyword | -| winlog.event_data.PasswordLastSet | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreAuthType | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrimaryGroupId | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.ProfilePath | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SamAccountName | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ScriptPath | | keyword | -| winlog.event_data.Service | | keyword | -| winlog.event_data.ServiceAccount | | keyword | -| winlog.event_data.ServiceFileName | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceSid | | keyword | -| winlog.event_data.ServiceStartType | | keyword | -| winlog.event_data.ServiceType | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.SessionName | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.SidFilteringEnabled | | keyword | -| winlog.event_data.SidHistory | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StatusDescription | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubCategory | | keyword | -| winlog.event_data.SubCategoryGuid | | keyword | -| winlog.event_data.SubCategoryId | | keyword | -| winlog.event_data.SubStatus | | keyword | -| winlog.event_data.SubcategoryGuid | | keyword | -| winlog.event_data.SubcategoryId | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetSid | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TdoAttributes | | keyword | -| winlog.event_data.TdoDirection | | keyword | -| winlog.event_data.TdoType | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TicketEncryptionType | | keyword | -| winlog.event_data.TicketEncryptionTypeDescription | | keyword | -| winlog.event_data.TicketOptions | | keyword | -| winlog.event_data.TicketOptionsDescription | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserAccountControl | | keyword | -| winlog.event_data.UserParameters | | keyword | -| winlog.event_data.UserPrincipalName | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.UserWorkstations | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.WorkstationName | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.level | The event severity. Levels are Critical, Error, Warning and Information, Verbose | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.outcome | Success or Failure of the event. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.time_created | Time event was created | keyword | -| winlog.trustAttribute | | keyword | -| winlog.trustDirection | | keyword | -| winlog.trustType | | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.user_data.BackupPath | | keyword | -| winlog.user_data.Channel | | keyword | -| winlog.user_data.SubjectDomainName | | keyword | -| winlog.user_data.SubjectLogonId | | keyword | -| winlog.user_data.SubjectUserName | | keyword | -| winlog.user_data.SubjectUserSid | | keyword | -| winlog.user_data.xml_name | | keyword | -| winlog.version | The version number of the event's definition. | long | - diff --git a/packages/winlog/1.5.1/img/logo_windows.svg b/packages/winlog/1.5.1/img/logo_windows.svg deleted file mode 100755 index 953b33d8f5..0000000000 --- a/packages/winlog/1.5.1/img/logo_windows.svg +++ /dev/null @@ -1,3 +0,0 @@ - - - diff --git a/packages/winlog/1.5.1/manifest.yml b/packages/winlog/1.5.1/manifest.yml deleted file mode 100755 index c4b8e3bf60..0000000000 --- a/packages/winlog/1.5.1/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -format_version: 1.0.0 -name: winlog -title: Custom Windows Event Logs -description: Collect and parse logs from any Windows event log channel with Elastic Agent. -type: integration -version: 1.5.1 -release: ga -conditions: - kibana.version: '^7.16.0 || ^8.0.0' -license: basic -categories: - - custom -policy_templates: - - name: winlogs - title: Custom Windows event logs - description: Collect your custom Windows event logs. - inputs: - - type: winlog - title: Custom Windows event logs - description: Collect events from custom Windows event log channels. - multi: true - - type: httpjson - title: Collect logs from third-party REST API (experimental) - description: Collect logs from third-party REST API (experimental) - vars: - - name: url - type: text - title: URL of Splunk Enterprise Server - description: i.e. scheme://host:port, path is automatic - show_user: true - required: true - default: https://server.example.com:8089 - - name: username - type: text - title: Splunk REST API Username - show_user: true - required: false - - name: password - type: password - title: Splunk REST API Password - show_user: true - required: false - - name: token - type: password - title: Splunk Authorization Token - description: | - Bearer Token or Session Key, e.g. "Bearer eyJFd3e46..." - or "Splunk 192fd3e...". Cannot be used with username - and password. - show_user: true - required: false - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- -icons: - - src: "/img/logo_windows.svg" - type: "image/svg+xml" -owner: - github: elastic/security-external-integrations diff --git a/packages/zerofox/1.3.1/changelog.yml b/packages/zerofox/1.3.1/changelog.yml deleted file mode 100755 index c23abcba56..0000000000 --- a/packages/zerofox/1.3.1/changelog.yml +++ /dev/null @@ -1,61 +0,0 @@ -# newer versions go on top -- version: "1.3.1" - changes: - - description: update readme added a ink to zerofox readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3178 -- version: "1.3.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2781 -- version: "1.2.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.2.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2453 -- version: "1.1.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2230 -- version: "1.0.3" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2077 -- version: "1.0.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1993 -- version: "1.0.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1862 -- version: "1.0.0" - changes: - - description: GA package - type: enhancement - link: https://github.com/elastic/integrations/pull/1757 -- version: "0.2.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1636 -- version: "0.1.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement - link: https://github.com/elastic/integrations/pull/971 diff --git a/packages/zerofox/1.3.1/data_stream/alerts/agent/stream/httpjson.yml.hbs b/packages/zerofox/1.3.1/data_stream/alerts/agent/stream/httpjson.yml.hbs deleted file mode 100755 index fb36b03e56..0000000000 --- a/packages/zerofox/1.3.1/data_stream/alerts/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,48 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "GET" - -{{#if url}} -request.url: {{url}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} - -request.transforms: - - set: - target: header.Authorization - value: "Token {{zerofox_api_token}}" - - set: - target: url.params.min_timestamp - value: "[[.cursor.last_execution_datetime]]" - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' -response.split: - target: body.alerts -response.pagination: - - set: - target: url.value - value: "[[.last_response.body.next]]" - fail_on_template_error: true - -cursor: - last_execution_datetime: - value: "[[formatDate now]]" -{{#if tags.length}} -tags: -{{else if preserve_original_event}} -tags: -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors.length}} -processors: - {{processors}} -{{/if}} diff --git a/packages/zerofox/1.3.1/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml b/packages/zerofox/1.3.1/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 1f26dc9c1e..0000000000 --- a/packages/zerofox/1.3.1/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,195 +0,0 @@ ---- -description: Pipeline for parsing zerofox alerts -processors: - ## ECS version. - - set: - field: ecs.version - value: "8.2.0" - - ## Event JSON decoding. - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: zerofox - - json: - field: zerofox.metadata - ignore_failure: true - - ## Parse event dates. - - date: - field: zerofox.content_created_at - target_field: event.created - formats: - - ISO8601 - ignore_failure: true - if: ctx?.zerofox?.content_created_at != null && ctx.zerofox.content_created_at != "" - - remove: - field: zerofox.content_created_at - ignore_missing: true - ignore_failure: true - if: ctx?.event?.created != null - - date: - field: zerofox.timestamp - target_field: "@timestamp" - formats: - - ISO8601 - ignore_failure: true - if: ctx?.zerofox?.timestamp != null && ctx.zerofox.timestamp != "" - - ## Event categorization. - - convert: - field: zerofox.id - target_field: event.id - type: string - ignore_failure: true - if: ctx?.zerofox?.id != null && ctx.zerofox.id != "" - - set: - field: event.kind - value: alert - - convert: - field: zerofox.severity - target_field: event.severity - type: long - ignore_missing: true - - rename: - field: zerofox.offending_content_url - target_field: event.url - ignore_missing: true - ignore_failure: true - if: ctx?.zerofox?.offending_content_url != null && ctx.zerofox.offending_content_url != "" - - ## Rule fields. - - convert: - field: zerofox.rule_id - target_field: rule.id - type: string - ignore_failure: true - if: ctx?.zerofox?.rule_id != null && ctx.zerofox.rule_id != "" - - rename: - field: zerofox.rule_name - target_field: rule.name - ignore_missing: true - ignore_failure: true - if: ctx?.zerofox?.rule_name != null && ctx.zerofox.rule_name != "" - - convert: - field: zerofox.rule_group_id - target_field: rule.ruleset - type: string - ignore_failure: true - if: ctx?.zerofox?.rule_group_id != null && ctx.zerofox.rule_group_id != "" - - rename: - field: zerofox.alert_type - target_field: rule.category - ignore_missing: true - ignore_failure: true - if: ctx?.zerofox?.alert_type != null && ctx.zerofox.alert_type != "" - - ## User fields. - - rename: - field: zerofox.assignee - target_field: user.name - ignore_missing: true - ignore_failure: true - if: ctx?.zerofox?.assignee != null && ctx.zerofox.assignee != "" - - append: - field: user.roles - value: assignee - allow_duplicates: false - if: ctx?.zerofox?.assignee != null && ctx.zerofox.assignee != "" - - ## Network fields. - - rename: - field: zerofox.network - target_field: network.name - ignore_missing: true - ignore_failure: true - if: ctx?.zerofox?.network != null && ctx.zerofox.network != "" - - ## Type conversions. - - convert: - field: zerofox.entity.id - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: zerofox.entity.entity_group.id - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: zerofox.entity_term.id - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: zerofox.perpetrator.id - type: string - ignore_missing: true - ignore_failure: true - - date: - field: zerofox.last_modified - target_field: zerofox.last_modified - formats: - - ISO8601 - ignore_failure: true - if: ctx?.zerofox?.last_modified != null && ctx.zerofox.last_modified != "" - - date: - field: zerofox.perpetrator.timestamp - target_field: zerofox.perpetrator.timestamp - formats: - - ISO8601 - ignore_failure: true - if: ctx?.zerofox?.perpetrator?.timestamp != null && ctx.zerofox.perpetrator.timestamp != "" - - foreach: - field: zerofox.entity.labels - processor: - convert: - field: _ingest._value.id - type: string - if: ctx?.zerofox?.entity?.labels != null && ctx.zerofox.entity.labels.size() > 0 - - ## Cleanup. - - remove: - field: - - _temp - - zerofox.id - - zerofox.severity - - zerofox.entered_by - - zerofox.asset - - zerofox.rule_id - - zerofox.rule_group_id - - zerofox.asset_term - - zerofox.business_network - - zerofox.entity_email_receiver_id - - zerofox.timestamp - - zerofox.logs - ignore_missing: true - ignore_failure: true - - script: - description: Remove all empty values from zerofox.perpetrator. - lang: painless - if: ctx?.zerofox?.perpetrator != null - source: ctx.zerofox.perpetrator?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("") || (entry.getValue() instanceof List && entry.getValue().length == 0) || (entry.getValue() instanceof Map && entry.getValue().size() == 0)); - - script: - description: Remove all empty values from zerofox.metadata. - lang: painless - if: ctx?.zerofox?.metadata != null - source: ctx?.zerofox?.metadata?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("") || (entry.getValue() instanceof List && entry.getValue().length == 0) || (entry.getValue() instanceof Map && entry.getValue().size() == 0)); - - script: - description: Remove all empty values from zerofox. - lang: painless - if: ctx?.zerofox != null - source: ctx?.zerofox?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("") || (entry.getValue() instanceof List && entry.getValue().length == 0) || (entry.getValue() instanceof Map && entry.getValue().size() == 0)); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" - diff --git a/packages/zerofox/1.3.1/data_stream/alerts/fields/agent.yml b/packages/zerofox/1.3.1/data_stream/alerts/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/zerofox/1.3.1/data_stream/alerts/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zerofox/1.3.1/data_stream/alerts/fields/base-fields.yml b/packages/zerofox/1.3.1/data_stream/alerts/fields/base-fields.yml deleted file mode 100755 index 0e4b6bde4f..0000000000 --- a/packages/zerofox/1.3.1/data_stream/alerts/fields/base-fields.yml +++ /dev/null @@ -1,34 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: dataset.type - type: constant_keyword - description: Dataset type. -- name: dataset.name - type: constant_keyword - description: Dataset name. -- name: dataset.namespace - type: constant_keyword - description: Dataset namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: zerofox -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zerofox.alerts -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/zerofox/1.3.1/data_stream/alerts/fields/beats.yml b/packages/zerofox/1.3.1/data_stream/alerts/fields/beats.yml deleted file mode 100755 index 3c48f1f224..0000000000 --- a/packages/zerofox/1.3.1/data_stream/alerts/fields/beats.yml +++ /dev/null @@ -1,3 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. diff --git a/packages/zerofox/1.3.1/data_stream/alerts/fields/ecs.yml b/packages/zerofox/1.3.1/data_stream/alerts/fields/ecs.yml deleted file mode 100755 index e4028c0249..0000000000 --- a/packages/zerofox/1.3.1/data_stream/alerts/fields/ecs.yml +++ /dev/null @@ -1,72 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: |- - URL linking to an external system to continue investigation of this event. - This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - name: event.url - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. - name: rule.ruleset - type: keyword -- description: A categorization value keyword used by the entity using the rule for detection of this event. - name: rule.category - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Array of user roles at the time of the event. - name: user.roles - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: Error message. - name: error.message - type: match_only_text diff --git a/packages/zerofox/1.3.1/data_stream/alerts/fields/fields.yml b/packages/zerofox/1.3.1/data_stream/alerts/fields/fields.yml deleted file mode 100755 index 0b8c40aaee..0000000000 --- a/packages/zerofox/1.3.1/data_stream/alerts/fields/fields.yml +++ /dev/null @@ -1,92 +0,0 @@ -- name: zerofox.entity.id - type: keyword - description: The entity identifier. -- name: zerofox.entity.name - type: keyword - description: The entity name. -- name: zerofox.entity.image - type: keyword - description: The entity default image url. -- name: zerofox.entity.labels - type: group - fields: - - name: id - type: keyword - description: The entity label identifier - - name: name - type: keyword - description: The entity label text -- name: zerofox.entity.entity_group.id - type: integer - description: The entity group identifier. -- name: zerofox.entity.entity_group.name - type: keyword - description: The entity group name. -- name: zerofox.escalated - type: boolean -- name: zerofox.entity_term.id - type: keyword -- name: zerofox.entity_term.name - type: keyword -- name: zerofox.entity_term.deleted - type: boolean -- name: zerofox.protected_account - type: keyword -- name: zerofox.perpetrator.id - type: keyword -- name: zerofox.perpetrator.username - type: keyword -- name: zerofox.perpetrator.display_name - type: keyword -- name: zerofox.perpetrator.content - type: keyword -- name: zerofox.perpetrator.name - type: keyword -- name: zerofox.perpetrator.account_number - type: keyword -- name: zerofox.perpetrator.destination_account_number - type: keyword -- name: zerofox.perpetrator.parent_post_number - type: keyword -- name: zerofox.perpetrator.parent_post_url - type: keyword -- name: zerofox.perpetrator.parent_post_account_number - type: keyword -- name: zerofox.perpetrator.post_number - type: keyword -- name: zerofox.perpetrator.network - type: keyword -- name: zerofox.perpetrator.image - type: keyword -- name: zerofox.perpetrator.url - type: keyword -- name: zerofox.perpetrator.type - type: keyword -- name: zerofox.perpetrator.post_type - type: keyword -- name: zerofox.perpetrator.timestamp - type: keyword -- name: zerofox.darkweb_term - type: keyword -- name: zerofox.protected_locations - type: keyword -- name: zerofox.metadata - type: flattened -- name: zerofox.status - type: keyword -- name: zerofox.last_modified - type: date -- name: zerofox.reviewed - type: boolean -- name: zerofox.protected_social_object - type: keyword -- name: zerofox.notes - type: text -- name: zerofox.reviews - type: keyword -- name: zerofox.content_actions - type: keyword -- name: zerofox.entity_account - type: keyword -- name: zerofox.tags - type: keyword diff --git a/packages/zerofox/1.3.1/data_stream/alerts/manifest.yml b/packages/zerofox/1.3.1/data_stream/alerts/manifest.yml deleted file mode 100755 index e4c8c40f09..0000000000 --- a/packages/zerofox/1.3.1/data_stream/alerts/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -type: logs -title: Alerts -streams: - - input: httpjson - template_path: httpjson.yml.hbs - title: ZeroFox Alert logs (httpjson) - description: Collect alert logs using httpjson input - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" diff --git a/packages/zerofox/1.3.1/docs/README.md b/packages/zerofox/1.3.1/docs/README.md deleted file mode 100755 index 2f2bbe1389..0000000000 --- a/packages/zerofox/1.3.1/docs/README.md +++ /dev/null @@ -1,115 +0,0 @@ -# ZeroFox Cloud Platform Integration - -The ZeroFox Platform integration collects and parses data from the the [ZeroFox](https://www.zerofox.com/) Alert APIs. - -## Compatibility - -This integration supports the ZeroFox API v1.0 - -### ZeroFox - -Contains alert data received from the ZeroFox Cloud Platform - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dataset.name | Dataset name. | constant_keyword | -| dataset.namespace | Dataset namespace. | constant_keyword | -| dataset.type | Dataset type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.roles | Array of user roles at the time of the event. | keyword | -| zerofox.content_actions | | keyword | -| zerofox.darkweb_term | | keyword | -| zerofox.entity.entity_group.id | The entity group identifier. | integer | -| zerofox.entity.entity_group.name | The entity group name. | keyword | -| zerofox.entity.id | The entity identifier. | keyword | -| zerofox.entity.image | The entity default image url. | keyword | -| zerofox.entity.labels.id | The entity label identifier | keyword | -| zerofox.entity.labels.name | The entity label text | keyword | -| zerofox.entity.name | The entity name. | keyword | -| zerofox.entity_account | | keyword | -| zerofox.entity_term.deleted | | boolean | -| zerofox.entity_term.id | | keyword | -| zerofox.entity_term.name | | keyword | -| zerofox.escalated | | boolean | -| zerofox.last_modified | | date | -| zerofox.metadata | | flattened | -| zerofox.notes | | text | -| zerofox.perpetrator.account_number | | keyword | -| zerofox.perpetrator.content | | keyword | -| zerofox.perpetrator.destination_account_number | | keyword | -| zerofox.perpetrator.display_name | | keyword | -| zerofox.perpetrator.id | | keyword | -| zerofox.perpetrator.image | | keyword | -| zerofox.perpetrator.name | | keyword | -| zerofox.perpetrator.network | | keyword | -| zerofox.perpetrator.parent_post_account_number | | keyword | -| zerofox.perpetrator.parent_post_number | | keyword | -| zerofox.perpetrator.parent_post_url | | keyword | -| zerofox.perpetrator.post_number | | keyword | -| zerofox.perpetrator.post_type | | keyword | -| zerofox.perpetrator.timestamp | | keyword | -| zerofox.perpetrator.type | | keyword | -| zerofox.perpetrator.url | | keyword | -| zerofox.perpetrator.username | | keyword | -| zerofox.protected_account | | keyword | -| zerofox.protected_locations | | keyword | -| zerofox.protected_social_object | | keyword | -| zerofox.reviewed | | boolean | -| zerofox.reviews | | keyword | -| zerofox.status | | keyword | -| zerofox.tags | | keyword | diff --git a/packages/zerofox/1.3.1/img/logo.svg b/packages/zerofox/1.3.1/img/logo.svg deleted file mode 100755 index 0038c4381b..0000000000 --- a/packages/zerofox/1.3.1/img/logo.svg +++ /dev/null @@ -1 +0,0 @@ - foxy-mark \ No newline at end of file diff --git a/packages/zerofox/1.3.1/manifest.yml b/packages/zerofox/1.3.1/manifest.yml deleted file mode 100755 index 1fa5e21ffa..0000000000 --- a/packages/zerofox/1.3.1/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -name: zerofox -title: ZeroFox -version: 1.3.1 -release: ga -description: Collect data from ZeroFox Cloud Platform with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -icons: - - src: /img/logo.svg - title: logo ZeroFox - size: 32x32 - type: image/svg+xml -categories: - - cloud - - security -conditions: - kibana.version: ^7.14 || ^8.0.0 -policy_templates: - - name: zerofox - title: ZeroFox Alerts - description: Collect alert from the ZeroFox API - inputs: - - type: httpjson - vars: - - name: http_client_timeout - type: text - title: Http Client Timeout - description: Duration of the time limit on HTTP requests. - multi: false - required: true - show_user: true - default: 60s - - name: url - type: text - title: ZeroFox API URL - multi: false - required: true - show_user: true - default: https://api.zerofox.com/1.0/alerts/ - - name: zerofox_api_token - type: password - title: ZeroFox API Token - description: zerofox api token - multi: false - required: true - show_user: true - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the initial alerts - multi: false - required: true - show_user: true - default: 720h - - name: interval - type: text - title: Periodic Polling Interval - description: How often to poll the ZeroFox API for new alerts - multi: false - required: true - show_user: true - default: 10m - title: "Collect alert logs (input: httpjson)" - description: "Collecting alert logs (input: httpjson)" -owner: - github: elastic/security-external-integrations